From 928886457e8eb0687da089b23285f483442251f1 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 11 Jun 2013 14:59:48 -0400 Subject: [PATCH 001/163] Fix some pointer casting issues. This also fixes the size of an empty vendor_cert or dbx_cert. Signed-off-by: Peter Jones --- cert.S | 2 +- shim.c | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/cert.S b/cert.S index 2ed9b6d..66a05b8 100644 --- a/cert.S +++ b/cert.S @@ -32,5 +32,5 @@ vendor_cert: .size vendor_cert_size, 4 .section .vendor_cert, "a", @progbits vendor_cert_size: - .long 1 + .long 0 #endif diff --git a/shim.c b/shim.c index 94b9710..7d43f04 100644 --- a/shim.c +++ b/shim.c @@ -59,7 +59,7 @@ static UINT32 load_options_size; */ extern UINT8 vendor_cert[]; extern UINT32 vendor_cert_size; -extern EFI_SIGNATURE_LIST *vendor_dbx; +extern UINT8 vendor_dbx[]; extern UINT32 vendor_dbx_size; #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }} @@ -359,16 +359,17 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert, UINT8 *sha256hash, UINT8 *sha1hash) { EFI_GUID secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; + EFI_SIGNATURE_LIST *dbx = (EFI_SIGNATURE_LIST *)vendor_dbx; - if (check_db_hash_in_ram(vendor_dbx, vendor_dbx_size, sha256hash, + if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha256hash, SHA256_DIGEST_SIZE, EfiHashSha256Guid) == DATA_FOUND) return EFI_ACCESS_DENIED; - if (check_db_hash_in_ram(vendor_dbx, vendor_dbx_size, sha1hash, + if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha1hash, SHA1_DIGEST_SIZE, EfiHashSha1Guid) == DATA_FOUND) return EFI_ACCESS_DENIED; - if (check_db_cert_in_ram(vendor_dbx, vendor_dbx_size, cert, + if (check_db_cert_in_ram(dbx, vendor_dbx_size, cert, sha256hash) == DATA_FOUND) return EFI_ACCESS_DENIED; From b32a3ce14cae55777f3c7e08b4aed8cb31607c7e Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 16 Sep 2013 09:27:08 -0400 Subject: [PATCH 002/163] Don't print that fallback isn't found in should_use_fallback() The call can simply fail if it isn't found - which will be the case on removeable install media. Signed-off-by: Peter Jones --- shim.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/shim.c b/shim.c index 7d43f04..c814685 100644 --- a/shim.c +++ b/shim.c @@ -951,7 +951,12 @@ should_use_fallback(EFI_HANDLE image_handle) rc = uefi_call_wrapper(vh->Open, 5, vh, &fh, L"\\EFI\\BOOT" FALLBACK, EFI_FILE_MODE_READ, 0); if (EFI_ERROR(rc)) { - Print(L"Could not open \"\\EFI\\BOOT%s\": %d\n", FALLBACK, rc); + /* Do not print the error here - this is an acceptable case + * for removable media, where we genuinely don't want + * fallback.efi to exist. + * Print(L"Could not open \"\\EFI\\BOOT%s\": %d\n", FALLBACK, + * rc); + */ uefi_call_wrapper(vh->Close, 1, vh); return 0; } From e75294e569df101b9c7194d9f9afc09056a99469 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 16 Sep 2013 09:27:08 -0400 Subject: [PATCH 003/163] Don't print things on the screen by default when everything works. There's no point to this text, and it generally confuses people. Signed-off-by: Peter Jones --- shim.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/shim.c b/shim.c index c814685..eaabefc 100644 --- a/shim.c +++ b/shim.c @@ -53,6 +53,7 @@ static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TAB static CHAR16 *second_stage; static void *load_options; static UINT32 load_options_size; +static UINT8 verbose; /* * The vendor certificate used for validating the second stage loader @@ -431,7 +432,8 @@ static BOOLEAN secure_mode (void) /* FIXME - more paranoia here? */ if (status != EFI_SUCCESS || sb != 1) { - Print(L"Secure boot not enabled\n"); + if (verbose) + Print(L"Secure boot not enabled\n"); return FALSE; } @@ -439,7 +441,8 @@ static BOOLEAN secure_mode (void) (void *)&setupmode); if (status == EFI_SUCCESS && setupmode == 1) { - Print(L"Platform is in setup mode\n"); + if (verbose) + Print(L"Platform is in setup mode\n"); return FALSE; } @@ -699,7 +702,8 @@ static EFI_STATUS verify_buffer (char *data, int datasize, status = check_whitelist(cert, sha256hash, sha1hash); if (status == EFI_SUCCESS) { - Print(L"Binary is whitelisted\n"); + if (verbose) + Print(L"Binary is whitelisted\n"); return status; } @@ -711,7 +715,8 @@ static EFI_STATUS verify_buffer (char *data, int datasize, shim_cert, sizeof(shim_cert), sha256hash, SHA256_DIGEST_SIZE)) { status = EFI_SUCCESS; - Print(L"Binary is verified by the vendor certificate\n"); + if (verbose) + Print(L"Binary is verified by the vendor certificate\n"); return status; } @@ -724,7 +729,8 @@ static EFI_STATUS verify_buffer (char *data, int datasize, vendor_cert, vendor_cert_size, sha256hash, SHA256_DIGEST_SIZE)) { status = EFI_SUCCESS; - Print(L"Binary is verified by the vendor certificate\n"); + if (verbose) + Print(L"Binary is verified by the vendor certificate\n"); return status; } @@ -1476,6 +1482,10 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) static SHIM_LOCK shim_lock_interface; EFI_HANDLE handle = NULL; EFI_STATUS efi_status; + UINT8 verbose_check; + UINTN verbose_check_size; + UINT32 attributes; + EFI_GUID global_var = EFI_GLOBAL_VARIABLE; /* * Set up the shim lock protocol so that grub and MokManager can @@ -1492,6 +1502,12 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) */ InitializeLib(image_handle, systab); + verbose_check_size = 1; + efi_status = get_variable(L"SHIM_VERBOSE", global_var, &attributes, + &verbose_check_size, (void *)&verbose_check); + if (!EFI_ERROR(efi_status)) + verbose = verbose_check; + /* Set the second stage loader */ set_second_stage (image_handle); From cb59de3847c7fa42180a4673812e0ada9696fd27 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 23 Sep 2013 10:40:49 -0400 Subject: [PATCH 004/163] Make SHIM_LOCK_GUID a first-class object with a symbol. Right now the CA is checking if shim builds expose a particular version of the shim protocol. To do this, they're looking for SHIM_LOCK_GUID's value in the resulting binary. Currently, with SHIM_LOCK_GUID as a macro that gets assigned to local variables, that means they have to compensate for mov instructions mixed in with the actual value. This is completely absurd, so promote it to a first-class object with a symbol to make it both easy to find and continuous. Signed-off-by: Peter Jones --- shim.c | 2 ++ shim.h | 3 +-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/shim.c b/shim.c index eaabefc..28e4da5 100644 --- a/shim.c +++ b/shim.c @@ -55,6 +55,8 @@ static void *load_options; static UINT32 load_options_size; static UINT8 verbose; +EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }; + /* * The vendor certificate used for validating the second stage loader */ diff --git a/shim.h b/shim.h index 0819259..f7a766a 100644 --- a/shim.h +++ b/shim.h @@ -1,7 +1,6 @@ #include "PeImage.h" -#define SHIM_LOCK_GUID \ - { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} } +extern EFI_GUID SHIM_LOCK_GUID; INTERFACE_DECL(_SHIM_LOCK); From 71da4f9be4c95cc364f1ac0ec0fa8fe8211d453e Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 23 Sep 2013 10:48:41 -0400 Subject: [PATCH 005/163] Made TODO represent the present. Signed-off-by: Peter Jones --- TODO | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/TODO b/TODO index 2de89ba..1c9debd 100644 --- a/TODO +++ b/TODO @@ -1 +1,35 @@ -Support for netbooting \ No newline at end of file +Hardening startimage: +- Don't allow non-participating bootloaders/kernels to call + ExitBootServices(), but trap in StartImage() so we can let them do + that. +Versioned protocol: +- Make shim and the bootloaders using it express how enlightened they + are to one another, so we can stop earlier without tricks like + the one above +MokListRT containing shim key: +- MokListRT has to contain the shim key... +MokListRT signing: +- For kexec and hybernate to work right, MokListRT probably needs to + be an authenticated variable. It's probable this needs to be done + in the kernel boot stub instead, just because it'll need an + ephemeral key to be generated, and that means we need some entropy + to build up. +Better ui: +- Gary Lin at SuSE is working on better UI for MokManager. It + desperately needs it. +James's modification: +- We're merging James Bottomley's hack to make shim use unpublished + system crypto services, as a compile time option. +New security protocol: +- TBD +kexec MoK Management: +Modsign enforcement mgmt MoK: +- This is part of the plan for SecureBoot patches. Basically these + features need to be disableable/enableable in MokManager. +Variable for debug: +- basically we need to be able to set a UEFI variable and get debug + output. +Db key mokutil config: +- I've completely forgotten what I meant by this. It was something + Vojtêch was going to do/have done, so I'm sure he'll be able to + refresh my memory. From 43df9d24f2e85cce5f76031812082458aab0722e Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 23 Sep 2013 11:05:08 -0400 Subject: [PATCH 006/163] Update TODO with missing description. Signed-off-by: Peter Jones --- TODO | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/TODO b/TODO index 1c9debd..5a03aba 100644 --- a/TODO +++ b/TODO @@ -30,6 +30,6 @@ Variable for debug: - basically we need to be able to set a UEFI variable and get debug output. Db key mokutil config: -- I've completely forgotten what I meant by this. It was something - Vojtêch was going to do/have done, so I'm sure he'll be able to - refresh my memory. +- Asked for by Mimi Zohar: An (on/off) option that would prevent the shim + and the kernel from trusting keys listed in 'db' and only use those coming + from the MOK List. From bea90083d232400742fef0a2a978da3d31b34e04 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 23 Sep 2013 13:24:48 -0400 Subject: [PATCH 007/163] Add MokListRT option rom entry. Signed-off-by: Peter Jones --- TODO | 3 +++ 1 file changed, 3 insertions(+) diff --git a/TODO b/TODO index 5a03aba..a18f600 100644 --- a/TODO +++ b/TODO @@ -33,3 +33,6 @@ Db key mokutil config: - Asked for by Mimi Zohar: An (on/off) option that would prevent the shim and the kernel from trusting keys listed in 'db' and only use those coming from the MOK List. +Hashing of option roms: +- hash option roms and add them to MokListRT +- probably belongs in MokManager From fbc486b50d867450e5b85429d67459022cd95882 Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Tue, 24 Sep 2013 12:05:21 -0400 Subject: [PATCH 008/163] Pass the right arguments to EFI_PXE_BASE_CODE_TFTP_READ_FILE A wrong pointer was being passed to EFI_PXE_BASE_CODE_TFTP_READ_FILE, preventing us from getting the file size back from the tftp call, ensuring that we don't have enough information to properly secureboot-validate the retrieved image. --- netboot.c | 4 ++-- shim.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/netboot.c b/netboot.c index c44aeac..66300d6 100644 --- a/netboot.c +++ b/netboot.c @@ -326,7 +326,7 @@ EFI_STATUS parseNetbootinfo(EFI_HANDLE image_handle) return rc; } -EFI_STATUS FetchNetbootimage(EFI_HANDLE image_handle, VOID **buffer, UINTN *bufsiz) +EFI_STATUS FetchNetbootimage(EFI_HANDLE image_handle, VOID **buffer, UINT64 *bufsiz) { EFI_STATUS rc; EFI_PXE_BASE_CODE_TFTP_OPCODE read = EFI_PXE_BASE_CODE_TFTP_READ_FILE; @@ -344,7 +344,7 @@ EFI_STATUS FetchNetbootimage(EFI_HANDLE image_handle, VOID **buffer, UINTN *bufs try_again: rc = uefi_call_wrapper(pxe->Mtftp, 10, pxe, read, *buffer, overwrite, - &bufsiz, &blksz, &tftp_addr, full_path, NULL, nobuffer); + bufsiz, &blksz, &tftp_addr, full_path, NULL, nobuffer); if (rc == EFI_BUFFER_TOO_SMALL) { /* try again, doubling buf size */ diff --git a/shim.c b/shim.c index 28e4da5..d2ff51a 100644 --- a/shim.c +++ b/shim.c @@ -1181,7 +1181,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) EFI_DEVICE_PATH *path; CHAR16 *PathName = NULL; void *sourcebuffer = NULL; - UINTN sourcesize = 0; + UINT64 sourcesize = 0; void *data = NULL; int datasize; From 2d8cfca2cea79a3ca2678cea742497f841426cbc Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Tue, 24 Sep 2013 12:05:25 -0400 Subject: [PATCH 009/163] Build with -Werror to catch future prototype mismatches. --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 4bdd603..89912de 100644 --- a/Makefile +++ b/Makefile @@ -15,7 +15,7 @@ EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o EFI_LDS = elf_$(ARCH)_efi.lds CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ - -fshort-wchar -Wall -mno-red-zone -maccumulate-outgoing-args \ + -fshort-wchar -Wall -Werror -mno-red-zone -maccumulate-outgoing-args \ -mno-mmx -mno-sse \ $(EFI_INCLUDES) ifeq ($(ARCH),x86_64) From e2979f2c5fc302fcde557e1f1c16408e17be1b75 Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Tue, 24 Sep 2013 12:05:28 -0400 Subject: [PATCH 010/163] Fix nul termination errors in filenames passed to tftp Fix various errors in the tftp string handling, to ensure we always have properly nul-terminated strings. --- netboot.c | 38 ++++++++++++++++---------------------- 1 file changed, 16 insertions(+), 22 deletions(-) diff --git a/netboot.c b/netboot.c index 66300d6..a10b261 100644 --- a/netboot.c +++ b/netboot.c @@ -53,7 +53,7 @@ static inline unsigned short int __swap16(unsigned short int x) static EFI_PXE_BASE_CODE *pxe; static EFI_IP_ADDRESS tftp_addr; -static char *full_path; +static UINT8 *full_path; typedef struct { @@ -111,7 +111,7 @@ try_again: for (i=0; i < (bs / sizeof(EFI_HANDLE)); i++) { status = uefi_call_wrapper(BS->OpenProtocol, 6, hbuf[i], &pxe_base_code_protocol, - &pxe, image_handle, NULL, + (void **)&pxe, image_handle, NULL, EFI_OPEN_PROTOCOL_GET_PROTOCOL); if (status != EFI_SUCCESS) { @@ -227,15 +227,15 @@ static UINT8 *str2ip6(char *str) static BOOLEAN extract_tftp_info(char *url) { - char *start, *end; + CHAR8 *start, *end; char ip6str[128]; - char *template = "/grubx64.efi"; + CHAR8 *template = (CHAR8 *)"/grubx64.efi"; if (strncmp((UINT8 *)url, (UINT8 *)"tftp://", 7)) { Print(L"URLS MUST START WITH tftp://\n"); return FALSE; } - start = url + 7; + start = (CHAR8 *)url + 7; if (*start != '[') { Print(L"TFTP SERVER MUST BE ENCLOSED IN [..]\n"); return FALSE; @@ -250,21 +250,19 @@ static BOOLEAN extract_tftp_info(char *url) Print(L"TFTP SERVER MUST BE ENCLOSED IN [..]\n"); return FALSE; } - *end = '\0'; memset(ip6str, 0, 128); - memcpy(ip6str, start, strlen((UINT8 *)start)); - *end = ']'; + memcpy(ip6str, start, end + 1 - start); end++; memcpy(&tftp_addr.v6, str2ip6(ip6str), 16); - full_path = AllocatePool(strlen((UINT8 *)end)+strlen((UINT8 *)template)+1); + full_path = AllocateZeroPool(strlen(end)+strlen(template)+1); if (!full_path) return FALSE; - memset(full_path, 0, strlen((UINT8 *)end)+strlen((UINT8 *)template)); - memcpy(full_path, end, strlen((UINT8 *)end)); - end = strrchr(full_path, '/'); + memcpy(full_path, end, strlen(end)); + end = (CHAR8 *)strrchr((char *)full_path, '/'); if (!end) - end = full_path; - memcpy(end, template, strlen((UINT8 *)template)); + end = (CHAR8 *)full_path; + memcpy(end, template, strlen(template)); + end[strlen(template)] = '\0'; return TRUE; } @@ -285,19 +283,15 @@ static EFI_STATUS parseDhcp6() static EFI_STATUS parseDhcp4() { - char *template = "/grubx64.efi"; - char *tmp = AllocatePool(16); + CHAR8 *template = (CHAR8 *)"/grubx64.efi"; + full_path = AllocateZeroPool(strlen(template)+1); - - if (!tmp) + if (!full_path) return EFI_OUT_OF_RESOURCES; - memcpy(&tftp_addr.v4, pxe->Mode->DhcpAck.Dhcpv4.BootpSiAddr, 4); - memcpy(tmp, template, 12); - tmp[13] = '\0'; - full_path = tmp; + memcpy(full_path, template, strlen(template)); /* Note we don't capture the filename option here because we know its shim.efi * We instead assume the filename at the end of the path is going to be grubx64.efi From 3816832bc5117670426cf291fc01d6ba5bef83d7 Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Tue, 24 Sep 2013 12:05:31 -0400 Subject: [PATCH 011/163] Fix an off-by-one error We don't need to add one because our end pointer is already off the end of the string we want to copy. --- netboot.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/netboot.c b/netboot.c index a10b261..e543363 100644 --- a/netboot.c +++ b/netboot.c @@ -251,7 +251,7 @@ static BOOLEAN extract_tftp_info(char *url) return FALSE; } memset(ip6str, 0, 128); - memcpy(ip6str, start, end + 1 - start); + memcpy(ip6str, start, end - start); end++; memcpy(&tftp_addr.v6, str2ip6(ip6str), 16); full_path = AllocateZeroPool(strlen(end)+strlen(template)+1); From 6eaa1a9c9e322e7e0b7ef08181c3450655f32857 Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Tue, 24 Sep 2013 12:05:34 -0400 Subject: [PATCH 012/163] Misc allocation cleanups --- netboot.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/netboot.c b/netboot.c index e543363..e7010e7 100644 --- a/netboot.c +++ b/netboot.c @@ -159,10 +159,9 @@ static char *get_v6_bootfile_url(EFI_PXE_BASE_CODE_DHCPV6_PACKET *pkt) if (ntohs(option->OpCode) == 59) { /* This is the bootfile url option */ urllen = ntohs(option->Length); - url = AllocatePool(urllen+2); + url = AllocateZeroPool(urllen+1); if (!url) return NULL; - memset(url, 0, urllen+2); memcpy(url, option->Data, urllen); return url; } @@ -274,10 +273,13 @@ static EFI_STATUS parseDhcp6() bootfile_url = get_v6_bootfile_url(packet); - if (extract_tftp_info(bootfile_url) == FALSE) - return EFI_NOT_FOUND; if (!bootfile_url) return EFI_NOT_FOUND; + if (extract_tftp_info(bootfile_url) == FALSE) { + FreePool(bootfile_url); + return EFI_NOT_FOUND; + } + FreePool(bootfile_url); return EFI_SUCCESS; } From af049ff4578019cc11d04bcfe0707cff5532274a Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Tue, 24 Sep 2013 12:05:38 -0400 Subject: [PATCH 013/163] More consistent types, fewer casts --- netboot.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/netboot.c b/netboot.c index e7010e7..ff63cde 100644 --- a/netboot.c +++ b/netboot.c @@ -141,11 +141,11 @@ try_again: return rc; } -static char *get_v6_bootfile_url(EFI_PXE_BASE_CODE_DHCPV6_PACKET *pkt) +static CHAR8 *get_v6_bootfile_url(EFI_PXE_BASE_CODE_DHCPV6_PACKET *pkt) { void *optr; EFI_DHCP6_PACKET_OPTION *option; - char *url; + CHAR8 *url; UINT32 urllen; optr = pkt->DhcpOptions; @@ -224,7 +224,7 @@ static UINT8 *str2ip6(char *str) return (UINT8 *)ip; } -static BOOLEAN extract_tftp_info(char *url) +static BOOLEAN extract_tftp_info(CHAR8 *url) { CHAR8 *start, *end; char ip6str[128]; @@ -234,7 +234,7 @@ static BOOLEAN extract_tftp_info(char *url) Print(L"URLS MUST START WITH tftp://\n"); return FALSE; } - start = (CHAR8 *)url + 7; + start = url + 7; if (*start != '[') { Print(L"TFTP SERVER MUST BE ENCLOSED IN [..]\n"); return FALSE; @@ -269,8 +269,7 @@ static BOOLEAN extract_tftp_info(char *url) static EFI_STATUS parseDhcp6() { EFI_PXE_BASE_CODE_DHCPV6_PACKET *packet = (EFI_PXE_BASE_CODE_DHCPV6_PACKET *)&pxe->Mode->DhcpAck.Raw; - char *bootfile_url; - + CHAR8 *bootfile_url; bootfile_url = get_v6_bootfile_url(packet); if (!bootfile_url) From 69a54db486b6b01c50d6a43294f881cfc9906268 Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Tue, 24 Sep 2013 12:05:47 -0400 Subject: [PATCH 014/163] Correct limits on the length of ipv6 addresses The maximum length of a string representation of an ipv6 address is 39 characters (8 groups of 4 hex chars, with 7 colons in between). So don't allocate more room than this - and more importantly, don't blindly accept strings from the server that are longer than our buffer... --- netboot.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/netboot.c b/netboot.c index ff63cde..cbbba66 100644 --- a/netboot.c +++ b/netboot.c @@ -227,7 +227,7 @@ static UINT8 *str2ip6(char *str) static BOOLEAN extract_tftp_info(CHAR8 *url) { CHAR8 *start, *end; - char ip6str[128]; + char ip6str[40]; CHAR8 *template = (CHAR8 *)"/grubx64.efi"; if (strncmp((UINT8 *)url, (UINT8 *)"tftp://", 7)) { @@ -244,12 +244,16 @@ static BOOLEAN extract_tftp_info(CHAR8 *url) end = start; while ((*end != '\0') && (*end != ']')) { end++; + if (end - start > 39) { + Print(L"TFTP URL includes malformed IPv6 address\n"); + return FALSE; + } } if (end == '\0') { Print(L"TFTP SERVER MUST BE ENCLOSED IN [..]\n"); return FALSE; } - memset(ip6str, 0, 128); + memset(ip6str, 0, 40); memcpy(ip6str, start, end - start); end++; memcpy(&tftp_addr.v6, str2ip6(ip6str), 16); From 5ccacd3a48fb8963826a817b42239142e4764914 Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Tue, 24 Sep 2013 12:05:51 -0400 Subject: [PATCH 015/163] Fix a memory leak --- netboot.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/netboot.c b/netboot.c index cbbba66..a8904fd 100644 --- a/netboot.c +++ b/netboot.c @@ -355,6 +355,8 @@ try_again: goto try_again; } + if (rc != EFI_SUCCESS && *buffer) { + FreePool(*buffer); + } return rc; - } From a869915a1d5806e84d2847d2093a79f750caf330 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 26 Sep 2013 09:56:26 -0400 Subject: [PATCH 016/163] MokManager needs to disable the graphics console. Without this patch, on some machines we never see MokManager's UI. This protocol has never (I think?) been officially published, and yet I still have new hardware that needs it. If you're looking for a reference, look at: EdkCompatibilityPkg/Foundation/Protocol/ConsoleControl/ConsoleControl.c in the edk2 tree from Tiano. Signed-off-by: Peter Jones --- Makefile | 2 +- MokManager.c | 32 ++++++++++++++++++++++++++++++++ console_control.h | 44 ++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 console_control.h diff --git a/Makefile b/Makefile index 89912de..513339f 100644 --- a/Makefile +++ b/Makefile @@ -37,7 +37,7 @@ OBJS = shim.o netboot.o cert.o dbx.o KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key SOURCES = shim.c shim.h netboot.c signature.h PeImage.h MOK_OBJS = MokManager.o -MOK_SOURCES = MokManager.c shim.h +MOK_SOURCES = MokManager.c shim.h console_control.h FALLBACK_OBJS = fallback.o FALLBACK_SRCS = fallback.c diff --git a/MokManager.c b/MokManager.c index 97588cb..88a396d 100644 --- a/MokManager.c +++ b/MokManager.c @@ -5,6 +5,7 @@ #include "shim.h" #include "signature.h" #include "PeImage.h" +#include "console_control.h" #define PASSWORD_MAX 16 #define PASSWORD_MIN 8 @@ -1894,6 +1895,34 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) return EFI_SUCCESS; } +static VOID setup_console (int text) +{ + EFI_STATUS status; + EFI_GUID console_control_guid = EFI_CONSOLE_CONTROL_PROTOCOL_GUID; + EFI_CONSOLE_CONTROL_PROTOCOL *concon; + static EFI_CONSOLE_CONTROL_SCREEN_MODE mode = + EfiConsoleControlScreenGraphics; + EFI_CONSOLE_CONTROL_SCREEN_MODE new_mode; + + status = LibLocateProtocol(&console_control_guid, (VOID **)&concon); + if (status != EFI_SUCCESS) + return; + + if (text) { + new_mode = EfiConsoleControlScreenText; + + status = uefi_call_wrapper(concon->GetMode, 4, concon, &mode, + 0, 0); + /* If that didn't work, assume it's graphics */ + if (status != EFI_SUCCESS) + mode = EfiConsoleControlScreenGraphics; + } else { + new_mode = mode; + } + + uefi_call_wrapper(concon->SetMode, 2, concon, new_mode); +} + static EFI_STATUS setup_rand (void) { EFI_TIME time; @@ -1925,9 +1954,12 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *systab) InitializeLib(image_handle, systab); + setup_console(1); + setup_rand(); efi_status = check_mok_request(image_handle); + setup_console(0); return efi_status; } diff --git a/console_control.h b/console_control.h new file mode 100644 index 0000000..5fb8a4a --- /dev/null +++ b/console_control.h @@ -0,0 +1,44 @@ +#ifndef _SHIM_CONSOLE_CONTROL_H +#define _SHIM_CONSOLE_CONTROL_H 1 + +#define EFI_CONSOLE_CONTROL_PROTOCOL_GUID \ + { 0xf42f7782, 0x12e, 0x4c12, {0x99, 0x56, 0x49, 0xf9, 0x43, 0x4, 0xf7, 0x21} } + +typedef struct _EFI_CONSOLE_CONTROL_PROTOCOL EFI_CONSOLE_CONTROL_PROTOCOL; + +typedef enum { + EfiConsoleControlScreenText, + EfiConsoleControlScreenGraphics, + EfiConsoleControlScreenMaxValue +} EFI_CONSOLE_CONTROL_SCREEN_MODE; + +typedef +EFI_STATUS +(EFIAPI *EFI_CONSOLE_CONTROL_PROTOCOL_GET_MODE) ( + IN EFI_CONSOLE_CONTROL_PROTOCOL *This, + OUT EFI_CONSOLE_CONTROL_SCREEN_MODE *Mode, + OUT BOOLEAN *GopUgaExists, OPTIONAL + OUT BOOLEAN *StdInLocked OPTIONAL + ); + +typedef +EFI_STATUS +(EFIAPI *EFI_CONSOLE_CONTROL_PROTOCOL_SET_MODE) ( + IN EFI_CONSOLE_CONTROL_PROTOCOL *This, + IN EFI_CONSOLE_CONTROL_SCREEN_MODE Mode + ); + +typedef +EFI_STATUS +(EFIAPI *EFI_CONSOLE_CONTROL_PROTOCOL_LOCK_STD_IN) ( + IN EFI_CONSOLE_CONTROL_PROTOCOL *This, + IN CHAR16 *Password + ); + +struct _EFI_CONSOLE_CONTROL_PROTOCOL { + EFI_CONSOLE_CONTROL_PROTOCOL_GET_MODE GetMode; + EFI_CONSOLE_CONTROL_PROTOCOL_SET_MODE SetMode; + EFI_CONSOLE_CONTROL_PROTOCOL_LOCK_STD_IN LockStdIn; +}; + +#endif /* _SHIM_CONSOLE_CONTROL_H */ From ebda1052c937797940f4cbb88b7e5f3e53d64647 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 26 Sep 2013 09:56:32 -0400 Subject: [PATCH 017/163] Ignore tarballs. Signed-off-by: Peter Jones --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index e46ec8a..85da8e7 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,4 @@ shim_cert.h *.so *.srl *.srl.old +*.tar.* From 227d13a2d96c71aae30dcbc47ac521c7f81b9974 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 26 Sep 2013 11:56:52 -0400 Subject: [PATCH 018/163] We have to declare SHIM_LOCK_GUID here as well. Signed-off-by: Peter Jones Conflicts: MokManager.c --- MokManager.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/MokManager.c b/MokManager.c index 88a396d..1ef7e51 100644 --- a/MokManager.c +++ b/MokManager.c @@ -17,6 +17,8 @@ #define EFI_VARIABLE_APPEND_WRITE 0x00000040 +EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }; + #define CERT_STRING L"Select an X509 certificate to enroll:\n\n" #define HASH_STRING L"Select a file to trust:\n\n" From 2aa2ddd8a823452fa25955816546fb7455c108ce Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 26 Sep 2013 11:57:51 -0400 Subject: [PATCH 019/163] Port MokManager to Linux Foundation loader UI code This is the first stage of porting the MokManager UI to the UI code used by the Linux Foundation UEFI loader. Conflicts: MokManager.c --- MokManager.c | 1222 ++++++++++++++++++-------------------------------- 1 file changed, 426 insertions(+), 796 deletions(-) diff --git a/MokManager.c b/MokManager.c index 1ef7e51..c254fdc 100644 --- a/MokManager.c +++ b/MokManager.c @@ -7,6 +7,9 @@ #include "PeImage.h" #include "console_control.h" +#include "include/console.h" +#include "include/simple_file.h" + #define PASSWORD_MAX 16 #define PASSWORD_MIN 8 #define SB_PASSWORD_LEN 8 @@ -59,7 +62,7 @@ static EFI_STATUS get_variable (CHAR16 *name, EFI_GUID guid, UINT32 *attributes, *buffer = AllocatePool(*size); if (!*buffer) { - Print(L"Unable to allocate variable buffer\n"); + console_notify(L"Unable to allocate variable buffer"); return EFI_OUT_OF_RESOURCES; } @@ -91,24 +94,24 @@ static EFI_STATUS get_sha1sum (void *Data, int DataSize, UINT8 *hash) ctx = AllocatePool(ctxsize); if (!ctx) { - Print(L"Unable to allocate memory for hash context\n"); + console_notify(L"Unable to allocate memory for hash context"); return EFI_OUT_OF_RESOURCES; } if (!Sha1Init(ctx)) { - Print(L"Unable to initialise hash\n"); + console_notify(L"Unable to initialise hash"); status = EFI_OUT_OF_RESOURCES; goto done; } if (!(Sha1Update(ctx, Data, DataSize))) { - Print(L"Unable to generate hash\n"); + console_notify(L"Unable to generate hash"); status = EFI_OUT_OF_RESOURCES; goto done; } if (!(Sha1Final(ctx, hash))) { - Print(L"Unable to finalise hash\n"); + console_notify(L"Unable to finalise hash"); status = EFI_OUT_OF_RESOURCES; goto done; } @@ -129,7 +132,7 @@ static UINT32 count_keys(void *Data, UINTN DataSize) while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) { if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) && (CompareGuid (&CertList->SignatureType, &HashType) != 0)) { - Print(L"Doesn't look like a key or hash\n"); + console_notify(L"Doesn't look like a key or hash"); dbsize -= CertList->SignatureListSize; CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize); @@ -138,7 +141,7 @@ static UINT32 count_keys(void *Data, UINTN DataSize) if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) && (CertList->SignatureSize != 48)) { - Print(L"Doesn't look like a valid hash\n"); + console_notify(L"Doesn't look like a valid hash"); dbsize -= CertList->SignatureListSize; CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize); @@ -166,7 +169,7 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) { list = AllocatePool(sizeof(MokListNode) * num); if (!list) { - Print(L"Unable to allocate MOK list\n"); + console_notify(L"Unable to allocate MOK list"); return NULL; } @@ -203,15 +206,17 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) { return list; } -static void print_x509_name (X509_NAME *X509Name, CHAR16 *name) +static CHAR16* get_x509_name (X509_NAME *X509Name, CHAR16 *name) { char *str; + CHAR16 *ret = NULL; str = X509_NAME_oneline(X509Name, NULL, 0); if (str) { - Print(L" %s:\n %a\n", name, str); + ret = PoolPrint(L"%s: %a", name, str); OPENSSL_free(str); } + return ret; } static const char *mon[12]= { @@ -318,7 +323,7 @@ error: return; } -static void print_x509_time (ASN1_TIME *time, CHAR16 *name) +static CHAR16* get_x509_time (ASN1_TIME *time, CHAR16 *name) { CHAR16 time_string[30]; @@ -330,48 +335,126 @@ static void print_x509_time (ASN1_TIME *time, CHAR16 *name) time_string[0] = '\0'; } - Print(L" %s:\n %s\n", name, time_string); + return PoolPrint(L"%s: %s", name, time_string); } -static void show_x509_info (X509 *X509Cert) +static void show_x509_info (X509 *X509Cert, UINT8 *hash) { ASN1_INTEGER *serial; BIGNUM *bnser; unsigned char hexbuf[30]; X509_NAME *X509Name; ASN1_TIME *time; + CHAR16 *issuer = NULL; + CHAR16 *subject = NULL; + CHAR16 *from = NULL; + CHAR16 *until = NULL; + POOL_PRINT hash_string1; + POOL_PRINT hash_string2; + POOL_PRINT serial_string; + int fields = 0; + CHAR16 **text; + int i = 0; + + ZeroMem(&hash_string1, sizeof(hash_string1)); + ZeroMem(&hash_string2, sizeof(hash_string2)); + ZeroMem(&serial_string, sizeof(serial_string)); serial = X509_get_serialNumber(X509Cert); if (serial) { int i, n; bnser = ASN1_INTEGER_to_BN(serial, NULL); n = BN_bn2bin(bnser, hexbuf); - Print(L" Serial Number:\n "); - for (i = 0; i < n-1; i++) { - Print(L"%02x:", hexbuf[i]); + CatPrint(&serial_string, L"Serial Number:"); + for (i = 0; i < n; i++) { + CatPrint(&serial_string, L"%02x:", hexbuf[i]); } - Print(L"%02x\n", hexbuf[n-1]); } + if (serial_string.str) + fields++; + X509Name = X509_get_issuer_name(X509Cert); if (X509Name) { - print_x509_name(X509Name, L"Issuer"); + issuer = get_x509_name(X509Name, L"Issuer"); + if (issuer) + fields++; } X509Name = X509_get_subject_name(X509Cert); if (X509Name) { - print_x509_name(X509Name, L"Subject"); + subject = get_x509_name(X509Name, L"Subject"); + if (subject) + fields++; } time = X509_get_notBefore(X509Cert); if (time) { - print_x509_time(time, L"Validity from"); + from = get_x509_time(time, L"Validity from"); + if (time) + fields++; } time = X509_get_notAfter(X509Cert); if (time) { - print_x509_time(time, L"Validity till"); + until = get_x509_time(time, L"Validity till"); + if (until) + fields++; } + +#if 0 + CatPrint(&hash_string1, L"SHA1 Fingerprint: "); + for (i=0; i<10; i++) + CatPrint(&hash_string1, L"%02x ", hash[i]); + for (i=10; i<20; i++) + CatPrint(&hash_string2, L"%02x ", hash[i]); + + if (hash_string1.str) + fields++; + + if (hash_string2.str) + fields++; +#endif + if (!fields) + return; + + text = AllocateZeroPool(sizeof(CHAR16 *) * (fields + 1)); + if (serial_string.str) { + text[i] = serial_string.str; + i++; + } + if (issuer) { + text[i] = issuer; + i++; + } + if (subject) { + text[i] = subject; + i++; + } + if (from) { + text[i] = from; + i++; + } + if (until) { + text[i] = until; + i++; + } + if (hash_string1.str) { + text[i] = hash_string1.str; + i++; + } + if (hash_string2.str) { + text[i] = hash_string2.str; + i++; + } + text[i] = NULL; + + console_alertbox(text); + + for (i=0; text[i] != NULL; i++) + FreePool(text[i]); + + FreePool(text); } static void show_mok_info (void *Mok, UINTN MokSize) @@ -385,28 +468,20 @@ static void show_mok_info (void *Mok, UINTN MokSize) return; if (MokSize != SHA256_DIGEST_SIZE) { - if (X509ConstructCertificate(Mok, MokSize, - (UINT8 **) &X509Cert) && X509Cert != NULL) { - show_x509_info(X509Cert); - X509_free(X509Cert); - } else { - Print(L" Not a valid X509 certificate: %x\n\n", - ((UINT32 *)Mok)[0]); - return; - } - efi_status = get_sha1sum(Mok, MokSize, hash); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to compute MOK fingerprint\n"); + console_notify(L"Failed to compute MOK fingerprint"); return; } - Print(L" Fingerprint (SHA1):\n "); - for (i = 0; i < SHA1_DIGEST_SIZE; i++) { - Print(L" %02x", hash[i]); - if (i % 10 == 9) - Print(L"\n "); + if (X509ConstructCertificate(Mok, MokSize, + (UINT8 **) &X509Cert) && X509Cert != NULL) { + show_x509_info(X509Cert, hash); + X509_free(X509Cert); + } else { + console_notify(L"Not a valid X509 certificate"); + return; } } else { Print(L"SHA256 hash:\n "); @@ -417,58 +492,19 @@ static void show_mok_info (void *Mok, UINTN MokSize) } Print(L"\n"); } - - Print(L"\n"); } -static INTN get_number () -{ - EFI_INPUT_KEY input_key; - CHAR16 input[10]; - int count = 0; - - do { - input_key = get_keystroke(); - - if ((input_key.UnicodeChar < '0' || - input_key.UnicodeChar > '9' || - count >= 10) && - input_key.UnicodeChar != CHAR_BACKSPACE) { - continue; - } - - if (count == 0 && input_key.UnicodeChar == CHAR_BACKSPACE) - continue; - - Print(L"%c", input_key.UnicodeChar); - - if (input_key.UnicodeChar == CHAR_BACKSPACE) { - input[--count] = '\0'; - continue; - } - - input[count++] = input_key.UnicodeChar; - } while (input_key.UnicodeChar != CHAR_CARRIAGE_RETURN); - - if (count == 0) - return -1; - - input[count] = '\0'; - - return (INTN)Atoi(input); -} - -static UINT8 list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title) +static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title) { UINT32 MokNum = 0; MokListNode *keys = NULL; INTN key_num = 0; - UINT8 initial = 1; + CHAR16 **menu_strings; + int i; if (KeyListSize < (sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA))) { - Print(L"No keys\n"); - Pause(); + console_notify(L"No MOK keys found"); return 0; } @@ -476,41 +512,38 @@ static UINT8 list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title) keys = build_mok_list(MokNum, KeyList, KeyListSize); if (!keys) { - Print(L"Failed to construct key list\n"); + console_notify(L"Failed to construct key list"); return 0; } - do { - uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); - if (title) - Print(L"%s\n", title); - Print(L"Input the key number to show the details of the key or\n" - L"type \'0\' to continue\n\n"); - Print(L"%d key(s) in the key list\n\n", MokNum); + menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (MokNum + 2)); - if (key_num > MokNum) { - Print(L"[Key %d]\n", key_num); - Print(L"No such key\n\n"); - } else if (initial != 1 && key_num > 0){ - Print(L"[Key %d]\n", key_num); - show_mok_info(keys[key_num-1].Mok, keys[key_num-1].MokSize); - } + if (!menu_strings) + return EFI_OUT_OF_RESOURCES; - Print(L"Key Number: "); + for (i=0; iResetSystem, 4, EfiResetWarm, - EFI_SUCCESS, 0, NULL); - Print(L"Failed to reboot\n"); - return -1; - } - - return 0; - } - } while (line[0] != 'N' && line[0] != 'n'); - return -1; -} - -static INTN mok_enrollment_prompt_callback (void *MokNew, void *data2, - void *data3) -{ - uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); - return mok_enrollment_prompt(MokNew, (UINTN)data2, TRUE); -} - -static INTN mok_reset_prompt (void *MokNew, void *data2, void *data3) -{ - EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; - CHAR16 line[1]; - UINT32 length; - EFI_STATUS efi_status; - - uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); - Print(L"Erase all stored keys? (y/N): "); - - get_line (&length, line, 1, 1); - - if (line[0] == 'Y' || line[0] == 'y') { - efi_status = store_keys(NULL, 0, TRUE); - - if (efi_status != EFI_SUCCESS) { - Print(L"Failed to erase keys\n"); - return -1; - } + if (efi_status != EFI_SUCCESS) { + console_notify(L"Failed to enroll keys\n"); + return -1; + } + if (auth) { LibDeleteVariable(L"MokNew", &shim_lock_guid); LibDeleteVariable(L"MokAuth", &shim_lock_guid); - Print(L"\nPress a key to reboot system\n"); - Pause(); + console_notify(L"The system must now be rebooted"); uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, EFI_SUCCESS, 0, NULL); - Print(L"Failed to reboot\n"); + console_notify(L"Failed to reboot"); return -1; } return 0; } +static INTN mok_reset_prompt () +{ + EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; + EFI_STATUS efi_status; + + uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); + + if (console_yes_no((CHAR16 *[]){L"Erase all stored keys?", NULL }) == 0) + return 0; + + efi_status = store_keys(NULL, 0, TRUE); + + if (efi_status != EFI_SUCCESS) { + console_notify(L"Failed to erase keys\n"); + return -1; + } + + LibDeleteVariable(L"MokNew", &shim_lock_guid); + LibDeleteVariable(L"MokAuth", &shim_lock_guid); + + console_notify(L"The system must now be rebooted"); + uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, + EFI_SUCCESS, 0, NULL); + console_notify(L"Failed to reboot\n"); + return -1; +} + static EFI_STATUS write_back_mok_list (MokListNode *list, INTN key_num) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; @@ -834,7 +843,7 @@ static EFI_STATUS write_back_mok_list (MokListNode *list, INTN key_num) FreePool(Data); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to set variable %d\n", efi_status); + console_error(L"Failed to set variable", efi_status); return efi_status; } @@ -859,7 +868,7 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize) &attributes, &auth_size, auth); if (efi_status != EFI_SUCCESS || auth_size != SHA256_DIGEST_SIZE) { - Print(L"Failed to get MokDelAuth %d\n", efi_status); + console_error(L"Failed to get MokDelAuth", efi_status); return efi_status; } @@ -871,9 +880,11 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize) &MokListDataSize, &MokListData); if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) { - Print(L"MokList is compromised!\nErase all keys in MokList!\n"); + console_alertbox((CHAR16 *[]){L"MokList is compromised!", + L"Erase all keys in MokList!", + NULL}); if (LibDeleteVariable(L"MokList", &shim_lock_guid) != EFI_SUCCESS) { - Print(L"Failed to erase MokList\n"); + console_notify(L"Failed to erase MokList"); } return EFI_ACCESS_DENIED; } @@ -914,59 +925,48 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize) return efi_status; } -static INTN mok_deletion_prompt (void *MokDel, void *data2, void *data3) +static INTN mok_deletion_prompt (void *MokDel, UINTN MokDelSize) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; - UINTN MokDelSize = (UINTN)data2; - CHAR16 line[1]; - UINT32 length; EFI_STATUS efi_status; - do { - if (!list_keys(MokDel, MokDelSize, L"[Delete MOK]")) { - return 0; - } + if (list_keys(MokDel, MokDelSize, L"[Delete MOK]") != EFI_SUCCESS) { + return 0; + } - Print(L"Delete the key(s)? (y/n): "); + if (console_yes_no((CHAR16 *[]){L"Delete the key(s)?", NULL}) == 0) + return 0; - get_line (&length, line, 1, 1); + efi_status = delete_keys(MokDel, MokDelSize); - if (line[0] == 'Y' || line[0] == 'y') { - efi_status = delete_keys(MokDel, MokDelSize); + if (efi_status != EFI_SUCCESS) { + console_notify(L"Failed to delete keys"); + return -1; + } - if (efi_status != EFI_SUCCESS) { - Print(L"Failed to delete keys\n"); - return -1; - } + LibDeleteVariable(L"MokDel", &shim_lock_guid); + LibDeleteVariable(L"MokDelAuth", &shim_lock_guid); - LibDeleteVariable(L"MokDel", &shim_lock_guid); - LibDeleteVariable(L"MokDelAuth", &shim_lock_guid); - - Print(L"\nPress a key to reboot system\n"); - Pause(); - uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, - EFI_SUCCESS, 0, NULL); - Print(L"Failed to reboot\n"); - return -1; - } - } while (line[0] != 'N' && line[0] != 'n'); + console_notify(L"The system must now be rebooted"); + uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, + EFI_SUCCESS, 0, NULL); + console_notify(L"Failed to reboot"); return -1; } -static INTN mok_sb_prompt (void *MokSB, void *data2, void *data3) { +static INTN mok_sb_prompt (void *MokSB, UINTN MokSBSize) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; - UINTN MokSBSize = (UINTN)data2; MokSBvar *var = MokSB; CHAR16 pass1, pass2, pass3; UINT8 fail_count = 0; UINT32 length; - CHAR16 line[1]; UINT8 sbval = 1; UINT8 pos1, pos2, pos3; + int ret; if (MokSBSize != sizeof(MokSBvar)) { - Print(L"Invalid MokSB variable contents\n"); + console_notify(L"Invalid MokSB variable contents"); return -1; } @@ -1006,61 +1006,49 @@ static INTN mok_sb_prompt (void *MokSB, void *data2, void *data3) { } if (fail_count >= 3) { - Print(L"Password limit reached\n"); + console_notify(L"Password limit reached"); + return -1; + } + + if (var->MokSBState == 0) + ret = console_yes_no((CHAR16 *[]){L"Disable Secure Boot", NULL}); + else + ret = console_yes_no((CHAR16 *[]){L"Enable Secure Boot", NULL}); + + if (ret == 0) { + LibDeleteVariable(L"MokSB", &shim_lock_guid); return -1; } if (var->MokSBState == 0) { - Print(L"Disable Secure Boot? (y/n): "); - } else { - Print(L"Enable Secure Boot? (y/n): "); - } - - do { - get_line (&length, line, 1, 1); - - if (line[0] == 'Y' || line[0] == 'y') { - if (var->MokSBState == 0) { - efi_status = uefi_call_wrapper(RT->SetVariable, - 5, L"MokSBState", - &shim_lock_guid, + efi_status = uefi_call_wrapper(RT->SetVariable, + 5, L"MokSBState", + &shim_lock_guid, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, - 1, &sbval); - if (efi_status != EFI_SUCCESS) { - Print(L"Failed to set Secure Boot state\n"); - return -1; - } - } else { - LibDeleteVariable(L"MokSBState", - &shim_lock_guid); - } - - LibDeleteVariable(L"MokSB", &shim_lock_guid); - - Print(L"Press a key to reboot system\n"); - Pause(); - uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, - EFI_SUCCESS, 0, NULL); - Print(L"Failed to reboot\n"); + 1, &sbval); + if (efi_status != EFI_SUCCESS) { + console_notify(L"Failed to set Secure Boot state"); return -1; } - } while (line[0] != 'N' && line[0] != 'n'); + } else { + LibDeleteVariable(L"MokSBState", &shim_lock_guid); + } + console_notify(L"The system must now be rebooted"); + uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, + EFI_SUCCESS, 0, NULL); + console_notify(L"Failed to reboot"); return -1; } - -static INTN mok_pw_prompt (void *MokPW, void *data2, void *data3) { +static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; - UINTN MokPWSize = (UINTN)data2; UINT8 hash[SHA256_DIGEST_SIZE]; - UINT32 length; - CHAR16 line[1]; if (MokPWSize != SHA256_DIGEST_SIZE) { - Print(L"Invalid MokPW variable contents\n"); + console_notify(L"Invalid MokPW variable contents"); return -1; } @@ -1069,190 +1057,41 @@ static INTN mok_pw_prompt (void *MokPW, void *data2, void *data3) { SetMem(hash, SHA256_DIGEST_SIZE, 0); if (CompareMem(MokPW, hash, SHA256_DIGEST_SIZE) == 0) { - Print(L"Clear MOK password? (y/n): "); - - do { - get_line (&length, line, 1, 1); - - if (line[0] == 'Y' || line[0] == 'y') { - LibDeleteVariable(L"MokPWStore", &shim_lock_guid); - LibDeleteVariable(L"MokPW", &shim_lock_guid); - } - } while (line[0] != 'N' && line[0] != 'n'); + if (console_yes_no((CHAR16 *[]){L"Clear MOK password?", NULL}) == 0) + return 0; + LibDeleteVariable(L"MokPWStore", &shim_lock_guid); + LibDeleteVariable(L"MokPW", &shim_lock_guid); return 0; } efi_status = match_password(NULL, 0, MokPW, L"Confirm MOK passphrase: "); if (efi_status != EFI_SUCCESS) { - Print(L"Password limit reached\n"); + console_notify(L"Password limit reached"); return -1; } - Print(L"Set MOK password? (y/n): "); + if (console_yes_no((CHAR16 *[]){L"Set MOK password?", NULL}) == 0) + return 0; - do { - get_line (&length, line, 1, 1); - - if (line[0] == 'Y' || line[0] == 'y') { - efi_status = uefi_call_wrapper(RT->SetVariable, 5, - L"MokPWStore", - &shim_lock_guid, - EFI_VARIABLE_NON_VOLATILE | - EFI_VARIABLE_BOOTSERVICE_ACCESS, - MokPWSize, MokPW); - if (efi_status != EFI_SUCCESS) { - Print(L"Failed to set MOK password\n"); - return -1; - } - - LibDeleteVariable(L"MokPW", &shim_lock_guid); - - Print(L"Press a key to reboot system\n"); - Pause(); - uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, - EFI_SUCCESS, 0, NULL); - Print(L"Failed to reboot\n"); - return -1; - } - } while (line[0] != 'N' && line[0] != 'n'); - - return 0; -} - -static UINTN draw_menu (CHAR16 *header, UINTN lines, struct menu_item *items, - UINTN count) { - UINTN i; - - uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); - - uefi_call_wrapper(ST->ConOut->SetAttribute, 2, ST->ConOut, - EFI_WHITE | EFI_BACKGROUND_BLACK); - - Print(L"%s UEFI key management\n\n", SHIM_VENDOR); - - if (header) - Print(L"%s", header); - - for (i = 0; i < count; i++) { - uefi_call_wrapper(ST->ConOut->SetAttribute, 2, ST->ConOut, - items[i].colour | EFI_BACKGROUND_BLACK); - Print(L" %s\n", items[i].text); + efi_status = uefi_call_wrapper(RT->SetVariable, 5, + L"MokPWStore", + &shim_lock_guid, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS, + MokPWSize, MokPW); + if (efi_status != EFI_SUCCESS) { + console_notify(L"Failed to set MOK password"); + return -1; } - uefi_call_wrapper(ST->ConOut->SetCursorPosition, 3, ST->ConOut, 0, 0); - uefi_call_wrapper(ST->ConOut->EnableCursor, 2, ST->ConOut, TRUE); + LibDeleteVariable(L"MokPW", &shim_lock_guid); - return 2 + lines; -} - -static void free_menu (struct menu_item *items, UINTN count) { - UINTN i; - - for (i=0; iConOut->SetCursorPosition, 3, ST->ConOut, 0, - position); - - uefi_call_wrapper(ST->ConOut->SetAttribute, 2, ST->ConOut, - EFI_BLACK | EFI_BACKGROUND_BLACK); - - Print(L" ", timeout); - - uefi_call_wrapper(ST->ConOut->SetCursorPosition, 3, ST->ConOut, 0, - position); - - uefi_call_wrapper(ST->ConOut->SetAttribute, 2, ST->ConOut, - EFI_WHITE | EFI_BACKGROUND_BLACK); - - if (timeout > 1) - Print(L"Booting in %d seconds\n", timeout); - else if (timeout) - Print(L"Booting in %d second\n", timeout); -} - -static void run_menu (CHAR16 *header, UINTN lines, struct menu_item *items, - UINTN count, UINTN timeout) { - UINTN index, pos = 0, wait = 0, offset; - EFI_INPUT_KEY key; - EFI_STATUS status; - INTN ret; - - if (timeout) - wait = 10000000; - - offset = draw_menu (header, lines, items, count); - - while (1) { - update_time(count + offset + 1, timeout); - - uefi_call_wrapper(ST->ConOut->SetCursorPosition, 3, ST->ConOut, - 0, pos + offset); - status = WaitForSingleEvent(ST->ConIn->WaitForKey, wait); - - if (status == EFI_TIMEOUT) { - timeout--; - if (!timeout) { - free_menu(items, count); - return; - } - continue; - } - - wait = 0; - timeout = 0; - - uefi_call_wrapper(BS->WaitForEvent, 3, 1, - &ST->ConIn->WaitForKey, &index); - uefi_call_wrapper(ST->ConIn->ReadKeyStroke, 2, ST->ConIn, - &key); - - switch(key.ScanCode) { - case SCAN_UP: - if (pos == 0) - continue; - pos--; - continue; - break; - case SCAN_DOWN: - if (pos == (count - 1)) - continue; - pos++; - continue; - break; - } - - switch(key.UnicodeChar) { - case CHAR_LINEFEED: - case CHAR_CARRIAGE_RETURN: - if (items[pos].callback == NULL) { - free_menu(items, count); - return; - } - - ret = items[pos].callback(items[pos].data, - items[pos].data2, - items[pos].data3); - if (ret < 0) { - Print(L"Press a key to continue\n"); - Pause(); - /* Clear the key in the queue */ - uefi_call_wrapper(ST->ConIn->ReadKeyStroke, 2, - ST->ConIn, &key); - } - draw_menu (header, lines, items, count); - pos = 0; - break; - } - } + console_notify(L"The system must now be rebooted"); + uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, EFI_SUCCESS, 0, + NULL); + console_notify(L"Failed to reboot"); + return -1; } static UINTN verify_certificate(void *cert, UINTN size) @@ -1263,8 +1102,7 @@ static UINTN verify_certificate(void *cert, UINTN size) if (!(X509ConstructCertificate(cert, size, (UINT8 **) &X509Cert)) || X509Cert == NULL) { - Print(L"Invalid X509 certificate\n"); - Pause(); + console_notify(L"Invalid X509 certificate"); return FALSE; } @@ -1272,49 +1110,22 @@ static UINTN verify_certificate(void *cert, UINTN size) return TRUE; } -static INTN file_callback (void *data, void *data2, void *data3) { - EFI_FILE_INFO *buffer = NULL; - UINTN buffersize = 0, mokbuffersize; - EFI_STATUS status; - EFI_FILE *file; - CHAR16 *filename = data; - EFI_FILE *parent = data2; - BOOLEAN hash = !!data3; - EFI_GUID file_info_guid = EFI_FILE_INFO_ID; +static EFI_STATUS enroll_file (void *data, UINTN datasize, BOOLEAN hash) +{ + EFI_STATUS status = EFI_SUCCESS; EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_SIGNATURE_LIST *CertList; EFI_SIGNATURE_DATA *CertData; + UINTN mokbuffersize; void *mokbuffer = NULL; - status = uefi_call_wrapper(parent->Open, 5, parent, &file, filename, - EFI_FILE_MODE_READ, 0); - - if (status != EFI_SUCCESS) - return 1; - - status = uefi_call_wrapper(file->GetInfo, 4, file, &file_info_guid, - &buffersize, buffer); - - if (status == EFI_BUFFER_TOO_SMALL) { - buffer = AllocatePool(buffersize); - status = uefi_call_wrapper(file->GetInfo, 4, file, - &file_info_guid, &buffersize, - buffer); - } - - if (!buffer) - return 0; - - buffersize = buffer->FileSize; - if (hash) { - void *binary; UINT8 sha256[SHA256_DIGEST_SIZE]; UINT8 sha1[SHA1_DIGEST_SIZE]; SHIM_LOCK *shim_lock; EFI_GUID shim_guid = SHIM_LOCK_GUID; PE_COFF_LOADER_IMAGE_CONTEXT context; - + status = LibLocateProtocol(&shim_guid, (VOID **)&shim_lock); if (status != EFI_SUCCESS) @@ -1328,20 +1139,12 @@ static INTN file_callback (void *data, void *data2, void *data3) { if (!mokbuffer) goto out; - binary = AllocatePool(buffersize); - - status = uefi_call_wrapper(file->Read, 3, file, &buffersize, - binary); + status = shim_lock->Context(data, datasize, &context); if (status != EFI_SUCCESS) goto out; - - status = shim_lock->Context(binary, buffersize, &context); - - if (status != EFI_SUCCESS) - goto out; - - status = shim_lock->Hash(binary, buffersize, &context, sha256, + + status = shim_lock->Hash(data, datasize, &context, sha256, sha1); if (status != EFI_SUCCESS) @@ -1354,7 +1157,7 @@ static INTN file_callback (void *data, void *data2, void *data3) { sizeof(EFI_SIGNATURE_LIST)); CopyMem(CertData->SignatureData, sha256, SHA256_DIGEST_SIZE); } else { - mokbuffersize = buffersize + sizeof(EFI_SIGNATURE_LIST) + + mokbuffersize = datasize + sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID); mokbuffer = AllocatePool(mokbuffersize); @@ -1363,12 +1166,11 @@ static INTN file_callback (void *data, void *data2, void *data3) { CertList = mokbuffer; CertList->SignatureType = EfiCertX509Guid; - CertList->SignatureSize = 16 + buffersize; - status = uefi_call_wrapper(file->Read, 3, file, &buffersize, - mokbuffer + sizeof(EFI_SIGNATURE_LIST) + 16); + CertList->SignatureSize = 16 + datasize; + + memcpy(mokbuffer + sizeof(EFI_SIGNATURE_LIST) + 16, data, + datasize); - if (status != EFI_SUCCESS) - goto out; CertData = (EFI_SIGNATURE_DATA *)(((UINT8 *)mokbuffer) + sizeof(EFI_SIGNATURE_LIST)); } @@ -1378,316 +1180,100 @@ static INTN file_callback (void *data, void *data2, void *data3) { CertData->SignatureOwner = shim_lock_guid; if (!hash) { - if (!verify_certificate(CertData->SignatureData, buffersize)) + if (!verify_certificate(CertData->SignatureData, datasize)) goto out; } mok_enrollment_prompt(mokbuffer, mokbuffersize, FALSE); out: - if (buffer) - FreePool(buffer); - if (mokbuffer) FreePool(mokbuffer); - return 0; + return status; } -static INTN directory_callback (void *data, void *data2, void *data3) { - EFI_FILE_INFO *buffer = NULL; - UINTN buffersize = 0; - EFI_STATUS status; - UINTN dircount = 0, i = 0; - struct menu_item *dircontent; - EFI_FILE *dir; - CHAR16 *filename = data; - EFI_FILE *root = data2; - BOOLEAN hash = !!data3; +static void mok_hash_enroll(void) +{ + EFI_STATUS efi_status; + CHAR16 *file_name = NULL; + EFI_HANDLE im = NULL; + EFI_FILE *file = NULL; + UINTN filesize; + void *data; - status = uefi_call_wrapper(root->Open, 5, root, &dir, filename, - EFI_FILE_MODE_READ, 0); + simple_file_selector(&im, (CHAR16 *[]){ + L"Select Binary", + L"", + L"The Selected Binary will have its hash Enrolled", + L"This means it will Subsequently Boot with no prompting", + L"Remember to make sure it is a genuine binary before Enroling its hash", + NULL + }, L"\\", L"", &file_name); - if (status != EFI_SUCCESS) - return 1; + if (!file_name) + return; - while (1) { - status = uefi_call_wrapper(dir->Read, 3, dir, &buffersize, - buffer); + efi_status = simple_file_open(im, file_name, &file, EFI_FILE_MODE_READ); - if (status == EFI_BUFFER_TOO_SMALL) { - buffer = AllocatePool(buffersize); - status = uefi_call_wrapper(dir->Read, 3, dir, - &buffersize, buffer); - } - - if (status != EFI_SUCCESS) - return 1; - - if (!buffersize) - break; - - if ((StrCmp(buffer->FileName, L".") == 0) || - (StrCmp(buffer->FileName, L"..") == 0)) - continue; - - dircount++; - - FreePool(buffer); - buffersize = 0; + if (efi_status != EFI_SUCCESS) { + console_error(L"Unable to open file", efi_status); + return; } - dircount++; + simple_file_read_all(file, &filesize, &data); + simple_file_close(file); - dircontent = AllocatePool(sizeof(struct menu_item) * dircount); - - dircontent[0].text = StrDuplicate(L".."); - dircontent[0].callback = NULL; - dircontent[0].colour = EFI_YELLOW; - i++; - - uefi_call_wrapper(dir->SetPosition, 2, dir, 0); - - while (1) { - status = uefi_call_wrapper(dir->Read, 3, dir, &buffersize, - buffer); - - if (status == EFI_BUFFER_TOO_SMALL) { - buffer = AllocatePool(buffersize); - status = uefi_call_wrapper(dir->Read, 3, dir, - &buffersize, buffer); - } - - if (status != EFI_SUCCESS) - return 1; - - if (!buffersize) - break; - - if ((StrCmp(buffer->FileName, L".") == 0) || - (StrCmp(buffer->FileName, L"..") == 0)) - continue; - - if (buffer->Attribute & EFI_FILE_DIRECTORY) { - dircontent[i].text = StrDuplicate(buffer->FileName); - dircontent[i].callback = directory_callback; - dircontent[i].data = dircontent[i].text; - dircontent[i].data2 = dir; - dircontent[i].data3 = data3; - dircontent[i].colour = EFI_YELLOW; - } else { - dircontent[i].text = StrDuplicate(buffer->FileName); - dircontent[i].callback = file_callback; - dircontent[i].data = dircontent[i].text; - dircontent[i].data2 = dir; - dircontent[i].data3 = data3; - dircontent[i].colour = EFI_WHITE; - } - - i++; - FreePool(buffer); - buffersize = 0; - buffer = NULL; + if (!filesize) { + console_error(L"Unable to read file", efi_status); + return; } - if (hash) - run_menu(HASH_STRING, 2, dircontent, dircount, 0); - else - run_menu(CERT_STRING, 2, dircontent, dircount, 0); + efi_status = enroll_file(data, filesize, TRUE); - return 0; + if (efi_status != EFI_SUCCESS) + console_error(L"Hash failed (did you select a valid EFI binary?)", efi_status); + + FreePool(data); } -static INTN filesystem_callback (void *data, void *data2, void *data3) { - EFI_FILE_INFO *buffer = NULL; - UINTN buffersize = 0; - EFI_STATUS status; - UINTN dircount = 0, i = 0; - struct menu_item *dircontent; - EFI_FILE *root = data; - BOOLEAN hash = !!data3; +static void mok_key_enroll(void) +{ + EFI_STATUS efi_status; + CHAR16 *file_name = NULL; + EFI_HANDLE im = NULL; + EFI_FILE *file = NULL; + UINTN filesize; + void *data; - uefi_call_wrapper(root->SetPosition, 2, root, 0); + simple_file_selector(&im, (CHAR16 *[]){ + L"Select Key", + L"", + L"The selected key will be enrolled into the MOK database", + L"This means any binaries signed with it will be run without prompting", + L"Remember to make sure it is a genuine key before Enroling it", + NULL + }, L"\\", L"", &file_name); - while (1) { - status = uefi_call_wrapper(root->Read, 3, root, &buffersize, - buffer); + if (!file_name) + return; - if (status == EFI_BUFFER_TOO_SMALL) { - buffer = AllocatePool(buffersize); - status = uefi_call_wrapper(root->Read, 3, root, - &buffersize, buffer); - } + efi_status = simple_file_open(im, file_name, &file, EFI_FILE_MODE_READ); - if (status != EFI_SUCCESS) - return 1; - - if (!buffersize) - break; - - if ((StrCmp(buffer->FileName, L".") == 0) || - (StrCmp(buffer->FileName, L"..") == 0)) - continue; - - dircount++; - - FreePool(buffer); - buffersize = 0; + if (efi_status != EFI_SUCCESS) { + console_error(L"Unable to open file", efi_status); + return; } - dircount++; + simple_file_read_all(file, &filesize, &data); + simple_file_close(file); - dircontent = AllocatePool(sizeof(struct menu_item) * dircount); - - dircontent[0].text = StrDuplicate(L"Return to filesystem list"); - dircontent[0].callback = NULL; - dircontent[0].colour = EFI_YELLOW; - i++; - - uefi_call_wrapper(root->SetPosition, 2, root, 0); - - while (1) { - status = uefi_call_wrapper(root->Read, 3, root, &buffersize, - buffer); - - if (status == EFI_BUFFER_TOO_SMALL) { - buffer = AllocatePool(buffersize); - status = uefi_call_wrapper(root->Read, 3, root, - &buffersize, buffer); - } - - if (status != EFI_SUCCESS) - return 1; - - if (!buffersize) - break; - - if ((StrCmp(buffer->FileName, L".") == 0) || - (StrCmp(buffer->FileName, L"..") == 0)) - continue; - - if (buffer->Attribute & EFI_FILE_DIRECTORY) { - dircontent[i].text = StrDuplicate(buffer->FileName); - dircontent[i].callback = directory_callback; - dircontent[i].data = dircontent[i].text; - dircontent[i].data2 = root; - dircontent[i].data3 = data3; - dircontent[i].colour = EFI_YELLOW; - } else { - dircontent[i].text = StrDuplicate(buffer->FileName); - dircontent[i].callback = file_callback; - dircontent[i].data = dircontent[i].text; - dircontent[i].data2 = root; - dircontent[i].data3 = data3; - dircontent[i].colour = EFI_WHITE; - } - - i++; - FreePool(buffer); - buffer = NULL; - buffersize = 0; + if (!filesize) { + console_error(L"Unable to read file", efi_status); + return; } - if (hash) - run_menu(HASH_STRING, 2, dircontent, dircount, 0); - else - run_menu(CERT_STRING, 2, dircontent, dircount, 0); - - return 0; -} - -static INTN find_fs (void *data, void *data2, void *data3) { - EFI_GUID fs_guid = SIMPLE_FILE_SYSTEM_PROTOCOL; - UINTN count, i; - UINTN OldSize, NewSize; - EFI_HANDLE *filesystem_handles = NULL; - struct menu_item *filesystems; - BOOLEAN hash = !!data3; - - uefi_call_wrapper(BS->LocateHandleBuffer, 5, ByProtocol, &fs_guid, - NULL, &count, &filesystem_handles); - - if (!count || !filesystem_handles) { - Print(L"No filesystems?\n"); - return 1; - } - - count++; - - filesystems = AllocatePool(sizeof(struct menu_item) * count); - - filesystems[0].text = StrDuplicate(L"Exit"); - filesystems[0].callback = NULL; - filesystems[0].colour = EFI_YELLOW; - - for (i=1; iHandleProtocol, 3, fs, &fs_guid, - (void **)&fs_interface); - - if (status != EFI_SUCCESS || !fs_interface) - continue; - - path = DevicePathFromHandle(fs); - - status = uefi_call_wrapper(fs_interface->OpenVolume, 2, - fs_interface, &root); - - if (status != EFI_SUCCESS || !root) - continue; - - status = uefi_call_wrapper(root->GetInfo, 4, root, - &file_info_guid, &buffersize, - buffer); - - if (status == EFI_BUFFER_TOO_SMALL) { - buffer = AllocatePool(buffersize); - status = uefi_call_wrapper(root->GetInfo, 4, root, - &file_info_guid, - &buffersize, buffer); - } - - if (status == EFI_SUCCESS) - VolumeLabel = buffer->VolumeLabel; - - if (path) - filesystems[i].text = DevicePathToStr(path); - else - filesystems[i].text = StrDuplicate(L"Unknown device\n"); - if (VolumeLabel) { - OldSize = (StrLen(filesystems[i].text) + 1) * sizeof(CHAR16); - NewSize = OldSize + StrLen(VolumeLabel) * sizeof(CHAR16); - filesystems[i].text = ReallocatePool(filesystems[i].text, - OldSize, NewSize); - StrCat(filesystems[i].text, VolumeLabel); - } - - if (buffersize) - FreePool(buffer); - - filesystems[i].data = root; - filesystems[i].data2 = NULL; - filesystems[i].data3 = data3; - filesystems[i].callback = filesystem_callback; - filesystems[i].colour = EFI_YELLOW; - } - - uefi_call_wrapper(BS->FreePool, 1, filesystem_handles); - - if (hash) - run_menu(HASH_STRING, 2, filesystems, count, 0); - else - run_menu(CERT_STRING, 2, filesystems, count, 0); - - return 0; + enroll_file(data, filesize, FALSE); + FreePool(data); } static BOOLEAN verify_pw(void) @@ -1717,20 +1303,33 @@ static BOOLEAN verify_pw(void) efi_status = match_password(NULL, 0, pwhash, L"Enter MOK password: "); if (efi_status != EFI_SUCCESS) { - Print(L"Password limit reached\n"); + console_notify(L"Password limit reached"); return FALSE; } return TRUE; } +typedef enum { + MOK_CONTINUE_BOOT, + MOK_RESET_MOK, + MOK_ENROLL_MOK, + MOK_DELETE_MOK, + MOK_CHANGE_SB, + MOK_SET_PW, + MOK_KEY_ENROLL, + MOK_HASH_ENROLL +} mok_menu_item; + static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, void *MokNew, UINTN MokNewSize, void *MokDel, UINTN MokDelSize, void *MokSB, UINTN MokSBSize, void *MokPW, UINTN MokPWSize) { - struct menu_item *menu_item; + CHAR16 **menu_strings; + mok_menu_item *menu_item; + int choice = 0; UINT32 MokAuth = 0; UINT32 MokDelAuth = 0; UINTN menucount = 3, i = 0; @@ -1739,10 +1338,11 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, UINT8 auth[SHA256_DIGEST_SIZE]; UINTN auth_size = SHA256_DIGEST_SIZE; UINT32 attributes; + EFI_STATUS ret = EFI_SUCCESS; if (verify_pw() == FALSE) return EFI_ACCESS_DENIED; - + efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokAuth", &shim_lock_guid, &attributes, &auth_size, auth); @@ -1769,78 +1369,108 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, if (MokPW) menucount++; - menu_item = AllocateZeroPool(sizeof(struct menu_item) * menucount); + menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (menucount + 1)); - if (!menu_item) + if (!menu_strings) return EFI_OUT_OF_RESOURCES; - menu_item[i].text = StrDuplicate(L"Continue boot"); - menu_item[i].colour = EFI_WHITE; - menu_item[i].callback = NULL; + menu_item = AllocateZeroPool(sizeof(mok_menu_item) * menucount); + + if (!menu_item) { + FreePool(menu_strings); + return EFI_OUT_OF_RESOURCES; + } + + menu_strings[i] = StrDuplicate(L"Continue boot"); + menu_item[i] = MOK_CONTINUE_BOOT; i++; if (MokNew || MokAuth) { if (!MokNew) { - menu_item[i].text = StrDuplicate(L"Reset MOK"); - menu_item[i].colour = EFI_WHITE; - menu_item[i].callback = mok_reset_prompt; + menu_strings[i] = StrDuplicate(L"Reset MOK"); + menu_item[i] = MOK_RESET_MOK; } else { - menu_item[i].text = StrDuplicate(L"Enroll MOK"); - menu_item[i].colour = EFI_WHITE; - menu_item[i].data = MokNew; - menu_item[i].data2 = (void *)MokNewSize; - menu_item[i].callback = mok_enrollment_prompt_callback; + menu_strings[i] = StrDuplicate(L"Enroll MOK"); + menu_item[i] = MOK_ENROLL_MOK; } i++; } - if (MokDel || MokDelAuth) { - menu_item[i].text = StrDuplicate(L"Delete MOK"); - menu_item[i].colour = EFI_WHITE; - menu_item[i].data = MokDel; - menu_item[i].data2 = (void *)MokDelSize; - menu_item[i].callback = mok_deletion_prompt; + if (MokDel || MokDelAuth) { + menu_strings[i] = StrDuplicate(L"Delete MOK"); + menu_item[i] = MOK_DELETE_MOK; i++; } if (MokSB) { - menu_item[i].text = StrDuplicate(L"Change Secure Boot state"); - menu_item[i].colour = EFI_WHITE; - menu_item[i].callback = mok_sb_prompt; - menu_item[i].data = MokSB; - menu_item[i].data2 = (void *)MokSBSize; + menu_strings[i] = StrDuplicate(L"Change Secure Boot state"); + menu_item[i] = MOK_CHANGE_SB; i++; } if (MokPW) { - menu_item[i].text = StrDuplicate(L"Set MOK password"); - menu_item[i].colour = EFI_WHITE; - menu_item[i].callback = mok_pw_prompt; - menu_item[i].data = MokPW; - menu_item[i].data2 = (void *)MokPWSize; + menu_strings[i] = StrDuplicate(L"Set MOK password"); + menu_item[i] = MOK_SET_PW; i++; } - menu_item[i].text = StrDuplicate(L"Enroll key from disk"); - menu_item[i].colour = EFI_WHITE; - menu_item[i].callback = find_fs; - menu_item[i].data3 = (void *)FALSE; - + menu_strings[i] = StrDuplicate(L"Enroll key from disk"); + menu_item[i] = MOK_KEY_ENROLL; i++; - menu_item[i].text = StrDuplicate(L"Enroll hash from disk"); - menu_item[i].colour = EFI_WHITE; - menu_item[i].callback = find_fs; - menu_item[i].data3 = (void *)TRUE; - + menu_strings[i] = StrDuplicate(L"Enroll hash from disk"); + menu_item[i] = MOK_HASH_ENROLL; i++; - run_menu(NULL, 0, menu_item, menucount, 10); + menu_strings[i] = NULL; - uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); + while (choice >= 0) { + choice = console_select((CHAR16 *[]){ L"Perform MOK management", NULL }, + menu_strings, 0); - return 0; + if (choice < 0) + goto out; + + switch (menu_item[choice]) { + case MOK_CONTINUE_BOOT: + goto out; + case MOK_RESET_MOK: + mok_reset_prompt(); + break; + case MOK_ENROLL_MOK: + mok_enrollment_prompt(MokNew, MokNewSize, TRUE); + break; + case MOK_DELETE_MOK: + mok_deletion_prompt(MokDel, MokDelSize); + break; + case MOK_CHANGE_SB: + mok_sb_prompt(MokSB, MokSBSize); + break; + case MOK_SET_PW: + mok_pw_prompt(MokPW, MokPWSize); + break; + case MOK_KEY_ENROLL: + mok_key_enroll(); + break; + case MOK_HASH_ENROLL: + mok_hash_enroll(); + break; + } + } + +out: + console_reset(); + + for (i=0; menu_strings[i] != NULL; i++) + FreePool(menu_strings[i]); + + FreePool(menu_strings); + + if (menu_item) + FreePool(menu_item); + + return ret; } static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) @@ -1865,28 +1495,28 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) if (MokNew) { if (LibDeleteVariable(L"MokNew", &shim_lock_guid) != EFI_SUCCESS) { - Print(L"Failed to delete MokNew\n"); + console_notify(L"Failed to delete MokNew"); } FreePool (MokNew); } if (MokDel) { if (LibDeleteVariable(L"MokDel", &shim_lock_guid) != EFI_SUCCESS) { - Print(L"Failed to delete MokDel\n"); + console_notify(L"Failed to delete MokDel"); } FreePool (MokDel); } if (MokSB) { if (LibDeleteVariable(L"MokSB", &shim_lock_guid) != EFI_SUCCESS) { - Print(L"Failed to delete MokSB\n"); + console_notify(L"Failed to delete MokSB"); } FreePool (MokNew); } if (MokPW) { if (LibDeleteVariable(L"MokPW", &shim_lock_guid) != EFI_SUCCESS) { - Print(L"Failed to delete MokPW\n"); + console_notify(L"Failed to delete MokPW"); } FreePool (MokNew); } From 17857eb8b55fa9864bfd71083d9291c74b0bab8e Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 26 Sep 2013 11:57:59 -0400 Subject: [PATCH 020/163] Port MokManager to Linux Foundation loader UI code This is the first stage of porting the MokManager UI to the UI code used by the Linux Foundation UEFI loader. --- Makefile | 9 +- include/PeImage.h | 787 +++++++++++++++++++++++++++++++++++++ include/configtable.h | 68 ++++ include/console.h | 21 + include/efiauthenticated.h | 222 +++++++++++ include/errors.h | 9 + include/execute.h | 5 + include/guid.h | 18 + include/security_policy.h | 6 + include/shell.h | 2 + include/simple_file.h | 21 + include/variables.h | 59 +++ include/version.h | 8 + include/wincert.h | 33 ++ lib/Makefile | 28 ++ lib/configtable.c | 144 +++++++ lib/console.c | 402 +++++++++++++++++++ lib/execute.c | 127 ++++++ lib/guid.c | 47 +++ lib/security_policy.c | 391 ++++++++++++++++++ lib/shell.c | 57 +++ lib/simple_file.c | 501 +++++++++++++++++++++++ lib/variables.c | 340 ++++++++++++++++ 23 files changed, 3302 insertions(+), 3 deletions(-) create mode 100644 include/PeImage.h create mode 100644 include/configtable.h create mode 100644 include/console.h create mode 100644 include/efiauthenticated.h create mode 100644 include/errors.h create mode 100644 include/execute.h create mode 100644 include/guid.h create mode 100644 include/security_policy.h create mode 100644 include/shell.h create mode 100644 include/simple_file.h create mode 100644 include/variables.h create mode 100644 include/version.h create mode 100644 include/wincert.h create mode 100644 lib/Makefile create mode 100644 lib/configtable.c create mode 100644 lib/console.c create mode 100644 lib/execute.c create mode 100644 lib/guid.c create mode 100644 lib/security_policy.c create mode 100644 lib/shell.c create mode 100644 lib/simple_file.c create mode 100644 lib/variables.c diff --git a/Makefile b/Makefile index 513339f..a64b4ac 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ ARCH = $(shell uname -m | sed s,i[3456789]86,ia32,) -SUBDIRS = Cryptlib +SUBDIRS = Cryptlib lib LIB_PATH = /usr/lib64 @@ -78,8 +78,8 @@ fallback.so: $(FALLBACK_OBJS) MokManager.o: $(SOURCES) -MokManager.so: $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a - $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) +MokManager.so: $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a + $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a Cryptlib/libcryptlib.a: $(MAKE) -C Cryptlib @@ -87,6 +87,9 @@ Cryptlib/libcryptlib.a: Cryptlib/OpenSSL/libopenssl.a: $(MAKE) -C Cryptlib/OpenSSL +lib/lib.a: + $(MAKE) -C lib + %.efi: %.so objcopy -j .text -j .sdata -j .data \ -j .dynamic -j .dynsym -j .rel \ diff --git a/include/PeImage.h b/include/PeImage.h new file mode 100644 index 0000000..ec13404 --- /dev/null +++ b/include/PeImage.h @@ -0,0 +1,787 @@ +/** @file + EFI image format for PE32, PE32+ and TE. Please note some data structures are + different for PE32 and PE32+. EFI_IMAGE_NT_HEADERS32 is for PE32 and + EFI_IMAGE_NT_HEADERS64 is for PE32+. + + This file is coded to the Visual Studio, Microsoft Portable Executable and + Common Object File Format Specification, Revision 8.0 - May 16, 2006. + This file also includes some definitions in PI Specification, Revision 1.0. + +Copyright (c) 2006 - 2010, Intel Corporation. All rights reserved.
+Portions copyright (c) 2008 - 2009, Apple Inc. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php. + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#ifndef __PE_IMAGE_H__ +#define __PE_IMAGE_H__ + +#include + +#define SIGNATURE_16(A, B) ((A) | (B << 8)) +#define SIGNATURE_32(A, B, C, D) (SIGNATURE_16 (A, B) | (SIGNATURE_16 (C, D) << 16)) +#define SIGNATURE_64(A, B, C, D, E, F, G, H) \ + (SIGNATURE_32 (A, B, C, D) | ((UINT64) (SIGNATURE_32 (E, F, G, H)) << 32)) + +#define ALIGN_VALUE(Value, Alignment) ((Value) + (((Alignment) - (Value)) & ((Alignment) - 1))) +#define ALIGN_POINTER(Pointer, Alignment) ((VOID *) (ALIGN_VALUE ((UINTN)(Pointer), (Alignment)))) + +// +// PE32+ Subsystem type for EFI images +// +#define EFI_IMAGE_SUBSYSTEM_EFI_APPLICATION 10 +#define EFI_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER 11 +#define EFI_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER 12 +#define EFI_IMAGE_SUBSYSTEM_SAL_RUNTIME_DRIVER 13 ///< defined PI Specification, 1.0 + + +// +// PE32+ Machine type for EFI images +// +#define IMAGE_FILE_MACHINE_I386 0x014c +#define IMAGE_FILE_MACHINE_IA64 0x0200 +#define IMAGE_FILE_MACHINE_EBC 0x0EBC +#define IMAGE_FILE_MACHINE_X64 0x8664 +#define IMAGE_FILE_MACHINE_ARMTHUMB_MIXED 0x01c2 + +// +// EXE file formats +// +#define EFI_IMAGE_DOS_SIGNATURE SIGNATURE_16('M', 'Z') +#define EFI_IMAGE_OS2_SIGNATURE SIGNATURE_16('N', 'E') +#define EFI_IMAGE_OS2_SIGNATURE_LE SIGNATURE_16('L', 'E') +#define EFI_IMAGE_NT_SIGNATURE SIGNATURE_32('P', 'E', '\0', '\0') + +/// +/// PE images can start with an optional DOS header, so if an image is run +/// under DOS it can print an error message. +/// +typedef struct { + UINT16 e_magic; ///< Magic number. + UINT16 e_cblp; ///< Bytes on last page of file. + UINT16 e_cp; ///< Pages in file. + UINT16 e_crlc; ///< Relocations. + UINT16 e_cparhdr; ///< Size of header in paragraphs. + UINT16 e_minalloc; ///< Minimum extra paragraphs needed. + UINT16 e_maxalloc; ///< Maximum extra paragraphs needed. + UINT16 e_ss; ///< Initial (relative) SS value. + UINT16 e_sp; ///< Initial SP value. + UINT16 e_csum; ///< Checksum. + UINT16 e_ip; ///< Initial IP value. + UINT16 e_cs; ///< Initial (relative) CS value. + UINT16 e_lfarlc; ///< File address of relocation table. + UINT16 e_ovno; ///< Overlay number. + UINT16 e_res[4]; ///< Reserved words. + UINT16 e_oemid; ///< OEM identifier (for e_oeminfo). + UINT16 e_oeminfo; ///< OEM information; e_oemid specific. + UINT16 e_res2[10]; ///< Reserved words. + UINT32 e_lfanew; ///< File address of new exe header. +} EFI_IMAGE_DOS_HEADER; + +/// +/// COFF File Header (Object and Image). +/// +typedef struct { + UINT16 Machine; + UINT16 NumberOfSections; + UINT32 TimeDateStamp; + UINT32 PointerToSymbolTable; + UINT32 NumberOfSymbols; + UINT16 SizeOfOptionalHeader; + UINT16 Characteristics; +} EFI_IMAGE_FILE_HEADER; + +/// +/// Size of EFI_IMAGE_FILE_HEADER. +/// +#define EFI_IMAGE_SIZEOF_FILE_HEADER 20 + +// +// Characteristics +// +#define EFI_IMAGE_FILE_RELOCS_STRIPPED (1 << 0) ///< 0x0001 Relocation info stripped from file. +#define EFI_IMAGE_FILE_EXECUTABLE_IMAGE (1 << 1) ///< 0x0002 File is executable (i.e. no unresolved externel references). +#define EFI_IMAGE_FILE_LINE_NUMS_STRIPPED (1 << 2) ///< 0x0004 Line nunbers stripped from file. +#define EFI_IMAGE_FILE_LOCAL_SYMS_STRIPPED (1 << 3) ///< 0x0008 Local symbols stripped from file. +#define EFI_IMAGE_FILE_BYTES_REVERSED_LO (1 << 7) ///< 0x0080 Bytes of machine word are reversed. +#define EFI_IMAGE_FILE_32BIT_MACHINE (1 << 8) ///< 0x0100 32 bit word machine. +#define EFI_IMAGE_FILE_DEBUG_STRIPPED (1 << 9) ///< 0x0200 Debugging info stripped from file in .DBG file. +#define EFI_IMAGE_FILE_SYSTEM (1 << 12) ///< 0x1000 System File. +#define EFI_IMAGE_FILE_DLL (1 << 13) ///< 0x2000 File is a DLL. +#define EFI_IMAGE_FILE_BYTES_REVERSED_HI (1 << 15) ///< 0x8000 Bytes of machine word are reversed. + +/// +/// Header Data Directories. +/// +typedef struct { + UINT32 VirtualAddress; + UINT32 Size; +} EFI_IMAGE_DATA_DIRECTORY; + +// +// Directory Entries +// +#define EFI_IMAGE_DIRECTORY_ENTRY_EXPORT 0 +#define EFI_IMAGE_DIRECTORY_ENTRY_IMPORT 1 +#define EFI_IMAGE_DIRECTORY_ENTRY_RESOURCE 2 +#define EFI_IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 +#define EFI_IMAGE_DIRECTORY_ENTRY_SECURITY 4 +#define EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC 5 +#define EFI_IMAGE_DIRECTORY_ENTRY_DEBUG 6 +#define EFI_IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 +#define EFI_IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 +#define EFI_IMAGE_DIRECTORY_ENTRY_TLS 9 +#define EFI_IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 + +#define EFI_IMAGE_NUMBER_OF_DIRECTORY_ENTRIES 16 + +/// +/// @attention +/// EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC means PE32 and +/// EFI_IMAGE_OPTIONAL_HEADER32 must be used. The data structures only vary +/// after NT additional fields. +/// +#define EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b + +/// +/// Optional Header Standard Fields for PE32. +/// +typedef struct { + /// + /// Standard fields. + /// + UINT16 Magic; + UINT8 MajorLinkerVersion; + UINT8 MinorLinkerVersion; + UINT32 SizeOfCode; + UINT32 SizeOfInitializedData; + UINT32 SizeOfUninitializedData; + UINT32 AddressOfEntryPoint; + UINT32 BaseOfCode; + UINT32 BaseOfData; ///< PE32 contains this additional field, which is absent in PE32+. + /// + /// Optional Header Windows-Specific Fields. + /// + UINT32 ImageBase; + UINT32 SectionAlignment; + UINT32 FileAlignment; + UINT16 MajorOperatingSystemVersion; + UINT16 MinorOperatingSystemVersion; + UINT16 MajorImageVersion; + UINT16 MinorImageVersion; + UINT16 MajorSubsystemVersion; + UINT16 MinorSubsystemVersion; + UINT32 Win32VersionValue; + UINT32 SizeOfImage; + UINT32 SizeOfHeaders; + UINT32 CheckSum; + UINT16 Subsystem; + UINT16 DllCharacteristics; + UINT32 SizeOfStackReserve; + UINT32 SizeOfStackCommit; + UINT32 SizeOfHeapReserve; + UINT32 SizeOfHeapCommit; + UINT32 LoaderFlags; + UINT32 NumberOfRvaAndSizes; + EFI_IMAGE_DATA_DIRECTORY DataDirectory[EFI_IMAGE_NUMBER_OF_DIRECTORY_ENTRIES]; +} EFI_IMAGE_OPTIONAL_HEADER32; + +/// +/// @attention +/// EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC means PE32+ and +/// EFI_IMAGE_OPTIONAL_HEADER64 must be used. The data structures only vary +/// after NT additional fields. +/// +#define EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b + +/// +/// Optional Header Standard Fields for PE32+. +/// +typedef struct { + /// + /// Standard fields. + /// + UINT16 Magic; + UINT8 MajorLinkerVersion; + UINT8 MinorLinkerVersion; + UINT32 SizeOfCode; + UINT32 SizeOfInitializedData; + UINT32 SizeOfUninitializedData; + UINT32 AddressOfEntryPoint; + UINT32 BaseOfCode; + /// + /// Optional Header Windows-Specific Fields. + /// + UINT64 ImageBase; + UINT32 SectionAlignment; + UINT32 FileAlignment; + UINT16 MajorOperatingSystemVersion; + UINT16 MinorOperatingSystemVersion; + UINT16 MajorImageVersion; + UINT16 MinorImageVersion; + UINT16 MajorSubsystemVersion; + UINT16 MinorSubsystemVersion; + UINT32 Win32VersionValue; + UINT32 SizeOfImage; + UINT32 SizeOfHeaders; + UINT32 CheckSum; + UINT16 Subsystem; + UINT16 DllCharacteristics; + UINT64 SizeOfStackReserve; + UINT64 SizeOfStackCommit; + UINT64 SizeOfHeapReserve; + UINT64 SizeOfHeapCommit; + UINT32 LoaderFlags; + UINT32 NumberOfRvaAndSizes; + EFI_IMAGE_DATA_DIRECTORY DataDirectory[EFI_IMAGE_NUMBER_OF_DIRECTORY_ENTRIES]; +} EFI_IMAGE_OPTIONAL_HEADER64; + + +/// +/// @attention +/// EFI_IMAGE_NT_HEADERS32 is for use ONLY by tools. +/// +typedef struct { + UINT32 Signature; + EFI_IMAGE_FILE_HEADER FileHeader; + EFI_IMAGE_OPTIONAL_HEADER32 OptionalHeader; +} EFI_IMAGE_NT_HEADERS32; + +#define EFI_IMAGE_SIZEOF_NT_OPTIONAL32_HEADER sizeof (EFI_IMAGE_NT_HEADERS32) + +/// +/// @attention +/// EFI_IMAGE_HEADERS64 is for use ONLY by tools. +/// +typedef struct { + UINT32 Signature; + EFI_IMAGE_FILE_HEADER FileHeader; + EFI_IMAGE_OPTIONAL_HEADER64 OptionalHeader; +} EFI_IMAGE_NT_HEADERS64; + +#define EFI_IMAGE_SIZEOF_NT_OPTIONAL64_HEADER sizeof (EFI_IMAGE_NT_HEADERS64) + +// +// Other Windows Subsystem Values +// +#define EFI_IMAGE_SUBSYSTEM_UNKNOWN 0 +#define EFI_IMAGE_SUBSYSTEM_NATIVE 1 +#define EFI_IMAGE_SUBSYSTEM_WINDOWS_GUI 2 +#define EFI_IMAGE_SUBSYSTEM_WINDOWS_CUI 3 +#define EFI_IMAGE_SUBSYSTEM_OS2_CUI 5 +#define EFI_IMAGE_SUBSYSTEM_POSIX_CUI 7 + +/// +/// Length of ShortName. +/// +#define EFI_IMAGE_SIZEOF_SHORT_NAME 8 + +/// +/// Section Table. This table immediately follows the optional header. +/// +typedef struct { + UINT8 Name[EFI_IMAGE_SIZEOF_SHORT_NAME]; + union { + UINT32 PhysicalAddress; + UINT32 VirtualSize; + } Misc; + UINT32 VirtualAddress; + UINT32 SizeOfRawData; + UINT32 PointerToRawData; + UINT32 PointerToRelocations; + UINT32 PointerToLinenumbers; + UINT16 NumberOfRelocations; + UINT16 NumberOfLinenumbers; + UINT32 Characteristics; +} EFI_IMAGE_SECTION_HEADER; + +/// +/// Size of EFI_IMAGE_SECTION_HEADER. +/// +#define EFI_IMAGE_SIZEOF_SECTION_HEADER 40 + +// +// Section Flags Values +// +#define EFI_IMAGE_SCN_TYPE_NO_PAD BIT3 ///< 0x00000008 ///< Reserved. +#define EFI_IMAGE_SCN_CNT_CODE BIT5 ///< 0x00000020 +#define EFI_IMAGE_SCN_CNT_INITIALIZED_DATA BIT6 ///< 0x00000040 +#define EFI_IMAGE_SCN_CNT_UNINITIALIZED_DATA BIT7 ///< 0x00000080 + +#define EFI_IMAGE_SCN_LNK_OTHER BIT8 ///< 0x00000100 ///< Reserved. +#define EFI_IMAGE_SCN_LNK_INFO BIT9 ///< 0x00000200 ///< Section contains comments or some other type of information. +#define EFI_IMAGE_SCN_LNK_REMOVE BIT11 ///< 0x00000800 ///< Section contents will not become part of image. +#define EFI_IMAGE_SCN_LNK_COMDAT BIT12 ///< 0x00001000 + +#define EFI_IMAGE_SCN_ALIGN_1BYTES BIT20 ///< 0x00100000 +#define EFI_IMAGE_SCN_ALIGN_2BYTES BIT21 ///< 0x00200000 +#define EFI_IMAGE_SCN_ALIGN_4BYTES (BIT20|BIT21) ///< 0x00300000 +#define EFI_IMAGE_SCN_ALIGN_8BYTES BIT22 ///< 0x00400000 +#define EFI_IMAGE_SCN_ALIGN_16BYTES (BIT20|BIT22) ///< 0x00500000 +#define EFI_IMAGE_SCN_ALIGN_32BYTES (BIT21|BIT22) ///< 0x00600000 +#define EFI_IMAGE_SCN_ALIGN_64BYTES (BIT20|BIT21|BIT22) ///< 0x00700000 + +#define EFI_IMAGE_SCN_MEM_DISCARDABLE BIT25 ///< 0x02000000 +#define EFI_IMAGE_SCN_MEM_NOT_CACHED BIT26 ///< 0x04000000 +#define EFI_IMAGE_SCN_MEM_NOT_PAGED BIT27 ///< 0x08000000 +#define EFI_IMAGE_SCN_MEM_SHARED BIT28 ///< 0x10000000 +#define EFI_IMAGE_SCN_MEM_EXECUTE BIT29 ///< 0x20000000 +#define EFI_IMAGE_SCN_MEM_READ BIT30 ///< 0x40000000 +#define EFI_IMAGE_SCN_MEM_WRITE BIT31 ///< 0x80000000 + +/// +/// Size of a Symbol Table Record. +/// +#define EFI_IMAGE_SIZEOF_SYMBOL 18 + +// +// Symbols have a section number of the section in which they are +// defined. Otherwise, section numbers have the following meanings: +// +#define EFI_IMAGE_SYM_UNDEFINED (UINT16) 0 ///< Symbol is undefined or is common. +#define EFI_IMAGE_SYM_ABSOLUTE (UINT16) -1 ///< Symbol is an absolute value. +#define EFI_IMAGE_SYM_DEBUG (UINT16) -2 ///< Symbol is a special debug item. + +// +// Symbol Type (fundamental) values. +// +#define EFI_IMAGE_SYM_TYPE_NULL 0 ///< no type. +#define EFI_IMAGE_SYM_TYPE_VOID 1 ///< no valid type. +#define EFI_IMAGE_SYM_TYPE_CHAR 2 ///< type character. +#define EFI_IMAGE_SYM_TYPE_SHORT 3 ///< type short integer. +#define EFI_IMAGE_SYM_TYPE_INT 4 +#define EFI_IMAGE_SYM_TYPE_LONG 5 +#define EFI_IMAGE_SYM_TYPE_FLOAT 6 +#define EFI_IMAGE_SYM_TYPE_DOUBLE 7 +#define EFI_IMAGE_SYM_TYPE_STRUCT 8 +#define EFI_IMAGE_SYM_TYPE_UNION 9 +#define EFI_IMAGE_SYM_TYPE_ENUM 10 ///< enumeration. +#define EFI_IMAGE_SYM_TYPE_MOE 11 ///< member of enumeration. +#define EFI_IMAGE_SYM_TYPE_BYTE 12 +#define EFI_IMAGE_SYM_TYPE_WORD 13 +#define EFI_IMAGE_SYM_TYPE_UINT 14 +#define EFI_IMAGE_SYM_TYPE_DWORD 15 + +// +// Symbol Type (derived) values. +// +#define EFI_IMAGE_SYM_DTYPE_NULL 0 ///< no derived type. +#define EFI_IMAGE_SYM_DTYPE_POINTER 1 +#define EFI_IMAGE_SYM_DTYPE_FUNCTION 2 +#define EFI_IMAGE_SYM_DTYPE_ARRAY 3 + +// +// Storage classes. +// +#define EFI_IMAGE_SYM_CLASS_END_OF_FUNCTION ((UINT8) -1) +#define EFI_IMAGE_SYM_CLASS_NULL 0 +#define EFI_IMAGE_SYM_CLASS_AUTOMATIC 1 +#define EFI_IMAGE_SYM_CLASS_EXTERNAL 2 +#define EFI_IMAGE_SYM_CLASS_STATIC 3 +#define EFI_IMAGE_SYM_CLASS_REGISTER 4 +#define EFI_IMAGE_SYM_CLASS_EXTERNAL_DEF 5 +#define EFI_IMAGE_SYM_CLASS_LABEL 6 +#define EFI_IMAGE_SYM_CLASS_UNDEFINED_LABEL 7 +#define EFI_IMAGE_SYM_CLASS_MEMBER_OF_STRUCT 8 +#define EFI_IMAGE_SYM_CLASS_ARGUMENT 9 +#define EFI_IMAGE_SYM_CLASS_STRUCT_TAG 10 +#define EFI_IMAGE_SYM_CLASS_MEMBER_OF_UNION 11 +#define EFI_IMAGE_SYM_CLASS_UNION_TAG 12 +#define EFI_IMAGE_SYM_CLASS_TYPE_DEFINITION 13 +#define EFI_IMAGE_SYM_CLASS_UNDEFINED_STATIC 14 +#define EFI_IMAGE_SYM_CLASS_ENUM_TAG 15 +#define EFI_IMAGE_SYM_CLASS_MEMBER_OF_ENUM 16 +#define EFI_IMAGE_SYM_CLASS_REGISTER_PARAM 17 +#define EFI_IMAGE_SYM_CLASS_BIT_FIELD 18 +#define EFI_IMAGE_SYM_CLASS_BLOCK 100 +#define EFI_IMAGE_SYM_CLASS_FUNCTION 101 +#define EFI_IMAGE_SYM_CLASS_END_OF_STRUCT 102 +#define EFI_IMAGE_SYM_CLASS_FILE 103 +#define EFI_IMAGE_SYM_CLASS_SECTION 104 +#define EFI_IMAGE_SYM_CLASS_WEAK_EXTERNAL 105 + +// +// type packing constants +// +#define EFI_IMAGE_N_BTMASK 017 +#define EFI_IMAGE_N_TMASK 060 +#define EFI_IMAGE_N_TMASK1 0300 +#define EFI_IMAGE_N_TMASK2 0360 +#define EFI_IMAGE_N_BTSHFT 4 +#define EFI_IMAGE_N_TSHIFT 2 + +// +// Communal selection types. +// +#define EFI_IMAGE_COMDAT_SELECT_NODUPLICATES 1 +#define EFI_IMAGE_COMDAT_SELECT_ANY 2 +#define EFI_IMAGE_COMDAT_SELECT_SAME_SIZE 3 +#define EFI_IMAGE_COMDAT_SELECT_EXACT_MATCH 4 +#define EFI_IMAGE_COMDAT_SELECT_ASSOCIATIVE 5 + +// +// the following values only be referred in PeCoff, not defined in PECOFF. +// +#define EFI_IMAGE_WEAK_EXTERN_SEARCH_NOLIBRARY 1 +#define EFI_IMAGE_WEAK_EXTERN_SEARCH_LIBRARY 2 +#define EFI_IMAGE_WEAK_EXTERN_SEARCH_ALIAS 3 + +/// +/// Relocation format. +/// +typedef struct { + UINT32 VirtualAddress; + UINT32 SymbolTableIndex; + UINT16 Type; +} EFI_IMAGE_RELOCATION; + +/// +/// Size of EFI_IMAGE_RELOCATION +/// +#define EFI_IMAGE_SIZEOF_RELOCATION 10 + +// +// I386 relocation types. +// +#define EFI_IMAGE_REL_I386_ABSOLUTE 0x0000 ///< Reference is absolute, no relocation is necessary. +#define EFI_IMAGE_REL_I386_DIR16 0x0001 ///< Direct 16-bit reference to the symbols virtual address. +#define EFI_IMAGE_REL_I386_REL16 0x0002 ///< PC-relative 16-bit reference to the symbols virtual address. +#define EFI_IMAGE_REL_I386_DIR32 0x0006 ///< Direct 32-bit reference to the symbols virtual address. +#define EFI_IMAGE_REL_I386_DIR32NB 0x0007 ///< Direct 32-bit reference to the symbols virtual address, base not included. +#define EFI_IMAGE_REL_I386_SEG12 0x0009 ///< Direct 16-bit reference to the segment-selector bits of a 32-bit virtual address. +#define EFI_IMAGE_REL_I386_SECTION 0x000A +#define EFI_IMAGE_REL_I386_SECREL 0x000B +#define EFI_IMAGE_REL_I386_REL32 0x0014 ///< PC-relative 32-bit reference to the symbols virtual address. + +// +// x64 processor relocation types. +// +#define IMAGE_REL_AMD64_ABSOLUTE 0x0000 +#define IMAGE_REL_AMD64_ADDR64 0x0001 +#define IMAGE_REL_AMD64_ADDR32 0x0002 +#define IMAGE_REL_AMD64_ADDR32NB 0x0003 +#define IMAGE_REL_AMD64_REL32 0x0004 +#define IMAGE_REL_AMD64_REL32_1 0x0005 +#define IMAGE_REL_AMD64_REL32_2 0x0006 +#define IMAGE_REL_AMD64_REL32_3 0x0007 +#define IMAGE_REL_AMD64_REL32_4 0x0008 +#define IMAGE_REL_AMD64_REL32_5 0x0009 +#define IMAGE_REL_AMD64_SECTION 0x000A +#define IMAGE_REL_AMD64_SECREL 0x000B +#define IMAGE_REL_AMD64_SECREL7 0x000C +#define IMAGE_REL_AMD64_TOKEN 0x000D +#define IMAGE_REL_AMD64_SREL32 0x000E +#define IMAGE_REL_AMD64_PAIR 0x000F +#define IMAGE_REL_AMD64_SSPAN32 0x0010 + +/// +/// Based relocation format. +/// +typedef struct { + UINT32 VirtualAddress; + UINT32 SizeOfBlock; +} EFI_IMAGE_BASE_RELOCATION; + +/// +/// Size of EFI_IMAGE_BASE_RELOCATION. +/// +#define EFI_IMAGE_SIZEOF_BASE_RELOCATION 8 + +// +// Based relocation types. +// +#define EFI_IMAGE_REL_BASED_ABSOLUTE 0 +#define EFI_IMAGE_REL_BASED_HIGH 1 +#define EFI_IMAGE_REL_BASED_LOW 2 +#define EFI_IMAGE_REL_BASED_HIGHLOW 3 +#define EFI_IMAGE_REL_BASED_HIGHADJ 4 +#define EFI_IMAGE_REL_BASED_MIPS_JMPADDR 5 +#define EFI_IMAGE_REL_BASED_ARM_MOV32A 5 +#define EFI_IMAGE_REL_BASED_ARM_MOV32T 7 +#define EFI_IMAGE_REL_BASED_IA64_IMM64 9 +#define EFI_IMAGE_REL_BASED_MIPS_JMPADDR16 9 +#define EFI_IMAGE_REL_BASED_DIR64 10 + +/// +/// Line number format. +/// +typedef struct { + union { + UINT32 SymbolTableIndex; ///< Symbol table index of function name if Linenumber is 0. + UINT32 VirtualAddress; ///< Virtual address of line number. + } Type; + UINT16 Linenumber; ///< Line number. +} EFI_IMAGE_LINENUMBER; + +/// +/// Size of EFI_IMAGE_LINENUMBER. +/// +#define EFI_IMAGE_SIZEOF_LINENUMBER 6 + +// +// Archive format. +// +#define EFI_IMAGE_ARCHIVE_START_SIZE 8 +#define EFI_IMAGE_ARCHIVE_START "!\n" +#define EFI_IMAGE_ARCHIVE_END "`\n" +#define EFI_IMAGE_ARCHIVE_PAD "\n" +#define EFI_IMAGE_ARCHIVE_LINKER_MEMBER "/ " +#define EFI_IMAGE_ARCHIVE_LONGNAMES_MEMBER "// " + +/// +/// Archive Member Headers +/// +typedef struct { + UINT8 Name[16]; ///< File member name - `/' terminated. + UINT8 Date[12]; ///< File member date - decimal. + UINT8 UserID[6]; ///< File member user id - decimal. + UINT8 GroupID[6]; ///< File member group id - decimal. + UINT8 Mode[8]; ///< File member mode - octal. + UINT8 Size[10]; ///< File member size - decimal. + UINT8 EndHeader[2]; ///< String to end header. (0x60 0x0A). +} EFI_IMAGE_ARCHIVE_MEMBER_HEADER; + +/// +/// Size of EFI_IMAGE_ARCHIVE_MEMBER_HEADER. +/// +#define EFI_IMAGE_SIZEOF_ARCHIVE_MEMBER_HDR 60 + + +// +// DLL Support +// + +/// +/// Export Directory Table. +/// +typedef struct { + UINT32 Characteristics; + UINT32 TimeDateStamp; + UINT16 MajorVersion; + UINT16 MinorVersion; + UINT32 Name; + UINT32 Base; + UINT32 NumberOfFunctions; + UINT32 NumberOfNames; + UINT32 AddressOfFunctions; + UINT32 AddressOfNames; + UINT32 AddressOfNameOrdinals; +} EFI_IMAGE_EXPORT_DIRECTORY; + +/// +/// Hint/Name Table. +/// +typedef struct { + UINT16 Hint; + UINT8 Name[1]; +} EFI_IMAGE_IMPORT_BY_NAME; + +/// +/// Import Address Table RVA (Thunk Table). +/// +typedef struct { + union { + UINT32 Function; + UINT32 Ordinal; + EFI_IMAGE_IMPORT_BY_NAME *AddressOfData; + } u1; +} EFI_IMAGE_THUNK_DATA; + +#define EFI_IMAGE_ORDINAL_FLAG BIT31 ///< Flag for PE32. +#define EFI_IMAGE_SNAP_BY_ORDINAL(Ordinal) ((Ordinal & EFI_IMAGE_ORDINAL_FLAG) != 0) +#define EFI_IMAGE_ORDINAL(Ordinal) (Ordinal & 0xffff) + +/// +/// Import Directory Table +/// +typedef struct { + UINT32 Characteristics; + UINT32 TimeDateStamp; + UINT32 ForwarderChain; + UINT32 Name; + EFI_IMAGE_THUNK_DATA *FirstThunk; +} EFI_IMAGE_IMPORT_DESCRIPTOR; + + +/// +/// Debug Directory Format. +/// +typedef struct { + UINT32 Characteristics; + UINT32 TimeDateStamp; + UINT16 MajorVersion; + UINT16 MinorVersion; + UINT32 Type; + UINT32 SizeOfData; + UINT32 RVA; ///< The address of the debug data when loaded, relative to the image base. + UINT32 FileOffset; ///< The file pointer to the debug data. +} EFI_IMAGE_DEBUG_DIRECTORY_ENTRY; + +#define EFI_IMAGE_DEBUG_TYPE_CODEVIEW 2 ///< The Visual C++ debug information. + +/// +/// Debug Data Structure defined in Microsoft C++. +/// +#define CODEVIEW_SIGNATURE_NB10 SIGNATURE_32('N', 'B', '1', '0') +typedef struct { + UINT32 Signature; ///< "NB10" + UINT32 Unknown; + UINT32 Unknown2; + UINT32 Unknown3; + // + // Filename of .PDB goes here + // +} EFI_IMAGE_DEBUG_CODEVIEW_NB10_ENTRY; + +/// +/// Debug Data Structure defined in Microsoft C++. +/// +#define CODEVIEW_SIGNATURE_RSDS SIGNATURE_32('R', 'S', 'D', 'S') +typedef struct { + UINT32 Signature; ///< "RSDS". + UINT32 Unknown; + UINT32 Unknown2; + UINT32 Unknown3; + UINT32 Unknown4; + UINT32 Unknown5; + // + // Filename of .PDB goes here + // +} EFI_IMAGE_DEBUG_CODEVIEW_RSDS_ENTRY; + + +/// +/// Debug Data Structure defined by Apple Mach-O to Coff utility. +/// +#define CODEVIEW_SIGNATURE_MTOC SIGNATURE_32('M', 'T', 'O', 'C') +typedef struct { + UINT32 Signature; ///< "MTOC". + EFI_GUID MachOUuid; + // + // Filename of .DLL (Mach-O with debug info) goes here + // +} EFI_IMAGE_DEBUG_CODEVIEW_MTOC_ENTRY; + +/// +/// Resource format. +/// +typedef struct { + UINT32 Characteristics; + UINT32 TimeDateStamp; + UINT16 MajorVersion; + UINT16 MinorVersion; + UINT16 NumberOfNamedEntries; + UINT16 NumberOfIdEntries; + // + // Array of EFI_IMAGE_RESOURCE_DIRECTORY_ENTRY entries goes here. + // +} EFI_IMAGE_RESOURCE_DIRECTORY; + +/// +/// Resource directory entry format. +/// +typedef struct { + union { + struct { + UINT32 NameOffset:31; + UINT32 NameIsString:1; + } s; + UINT32 Id; + } u1; + union { + UINT32 OffsetToData; + struct { + UINT32 OffsetToDirectory:31; + UINT32 DataIsDirectory:1; + } s; + } u2; +} EFI_IMAGE_RESOURCE_DIRECTORY_ENTRY; + +/// +/// Resource directory entry for string. +/// +typedef struct { + UINT16 Length; + CHAR16 String[1]; +} EFI_IMAGE_RESOURCE_DIRECTORY_STRING; + +/// +/// Resource directory entry for data array. +/// +typedef struct { + UINT32 OffsetToData; + UINT32 Size; + UINT32 CodePage; + UINT32 Reserved; +} EFI_IMAGE_RESOURCE_DATA_ENTRY; + +/// +/// Header format for TE images, defined in the PI Specification, 1.0. +/// +typedef struct { + UINT16 Signature; ///< The signature for TE format = "VZ". + UINT16 Machine; ///< From the original file header. + UINT8 NumberOfSections; ///< From the original file header. + UINT8 Subsystem; ///< From original optional header. + UINT16 StrippedSize; ///< Number of bytes we removed from the header. + UINT32 AddressOfEntryPoint; ///< Offset to entry point -- from original optional header. + UINT32 BaseOfCode; ///< From original image -- required for ITP debug. + UINT64 ImageBase; ///< From original file header. + EFI_IMAGE_DATA_DIRECTORY DataDirectory[2]; ///< Only base relocation and debug directory. +} EFI_TE_IMAGE_HEADER; + + +#define EFI_TE_IMAGE_HEADER_SIGNATURE SIGNATURE_16('V', 'Z') + +// +// Data directory indexes in our TE image header +// +#define EFI_TE_IMAGE_DIRECTORY_ENTRY_BASERELOC 0 +#define EFI_TE_IMAGE_DIRECTORY_ENTRY_DEBUG 1 + + +/// +/// Union of PE32, PE32+, and TE headers. +/// +typedef union { + EFI_IMAGE_NT_HEADERS32 Pe32; + EFI_IMAGE_NT_HEADERS64 Pe32Plus; + EFI_TE_IMAGE_HEADER Te; +} EFI_IMAGE_OPTIONAL_HEADER_UNION; + +typedef union { + EFI_IMAGE_NT_HEADERS32 *Pe32; + EFI_IMAGE_NT_HEADERS64 *Pe32Plus; + EFI_TE_IMAGE_HEADER *Te; + EFI_IMAGE_OPTIONAL_HEADER_UNION *Union; +} EFI_IMAGE_OPTIONAL_HEADER_PTR_UNION; + +typedef struct { + WIN_CERTIFICATE Hdr; + UINT8 CertData[1]; +} WIN_CERTIFICATE_EFI_PKCS; + +#define SHA256_DIGEST_SIZE 32 +#define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002 + +typedef struct { + UINT64 ImageAddress; + UINT64 ImageSize; + UINT64 EntryPoint; + UINTN SizeOfHeaders; + UINT16 ImageType; + UINT16 NumberOfSections; + EFI_IMAGE_SECTION_HEADER *FirstSection; + EFI_IMAGE_DATA_DIRECTORY *RelocDir; + EFI_IMAGE_DATA_DIRECTORY *SecDir; + UINT64 NumberOfRvaAndSizes; + EFI_IMAGE_OPTIONAL_HEADER_UNION *PEHdr; +} PE_COFF_LOADER_IMAGE_CONTEXT; + +#endif diff --git a/include/configtable.h b/include/configtable.h new file mode 100644 index 0000000..fa2b505 --- /dev/null +++ b/include/configtable.h @@ -0,0 +1,68 @@ +/* definitions straight from TianoCore */ + +typedef UINT32 EFI_IMAGE_EXECUTION_ACTION; + +#define EFI_IMAGE_EXECUTION_AUTHENTICATION 0x00000007 +#define EFI_IMAGE_EXECUTION_AUTH_UNTESTED 0x00000000 +#define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED 0x00000001 +#define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED 0x00000002 +#define EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND 0x00000003 +#define EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND 0x00000004 +#define EFI_IMAGE_EXECUTION_POLICY_FAILED 0x00000005 +#define EFI_IMAGE_EXECUTION_INITIALIZED 0x00000008 + +typedef struct { + /// + /// Describes the action taken by the firmware regarding this image. + /// + EFI_IMAGE_EXECUTION_ACTION Action; + /// + /// Size of all of the entire structure. + /// + UINT32 InfoSize; + /// + /// If this image was a UEFI device driver (for option ROM, for example) this is the + /// null-terminated, user-friendly name for the device. If the image was for an application, + /// then this is the name of the application. If this cannot be determined, then a simple + /// NULL character should be put in this position. + /// CHAR16 Name[]; + /// + + /// + /// For device drivers, this is the device path of the device for which this device driver + /// was intended. In some cases, the driver itself may be stored as part of the system + /// firmware, but this field should record the device's path, not the firmware path. For + /// applications, this is the device path of the application. If this cannot be determined, + /// a simple end-of-path device node should be put in this position. + /// EFI_DEVICE_PATH_PROTOCOL DevicePath; + /// + + /// + /// Zero or more image signatures. If the image contained no signatures, + /// then this field is empty. + /// + ///EFI_SIGNATURE_LIST Signature; + UINT8 Data[]; +} EFI_IMAGE_EXECUTION_INFO; + +typedef struct { + /// + /// Number of EFI_IMAGE_EXECUTION_INFO structures. + /// + UINTN NumberOfImages; + /// + /// Number of image instances of EFI_IMAGE_EXECUTION_INFO structures. + /// + EFI_IMAGE_EXECUTION_INFO InformationInfo[]; +} EFI_IMAGE_EXECUTION_INFO_TABLE; + + +void * +configtable_get_table(EFI_GUID *guid); +EFI_IMAGE_EXECUTION_INFO_TABLE * +configtable_get_image_table(void); +EFI_IMAGE_EXECUTION_INFO * +configtable_find_image(const EFI_DEVICE_PATH *DevicePath); +int +configtable_image_is_forbidden(const EFI_DEVICE_PATH *DevicePath); + diff --git a/include/console.h b/include/console.h new file mode 100644 index 0000000..7eb8a0b --- /dev/null +++ b/include/console.h @@ -0,0 +1,21 @@ +EFI_INPUT_KEY +console_get_keystroke(void); +void +console_print_box_at(CHAR16 *str_arr[], int highlight, int start_col, int start_row, int size_cols, int size_rows, int offset, int lines); +void +console_print_box(CHAR16 *str_arr[], int highlight); +int +console_yes_no(CHAR16 *str_arr[]); +int +console_select(CHAR16 *title[], CHAR16* selectors[], int start); +void +console_errorbox(CHAR16 *err); +void +console_error(CHAR16 *err, EFI_STATUS); +void +console_alertbox(CHAR16 **title); +void +console_notify(CHAR16 *string); +void +console_reset(void); +#define NOSEL 0x7fffffff diff --git a/include/efiauthenticated.h b/include/efiauthenticated.h new file mode 100644 index 0000000..f7d6bcb --- /dev/null +++ b/include/efiauthenticated.h @@ -0,0 +1,222 @@ +#ifndef _INC_EFIAUTHENTICATED_H +#define _INC_EFIAUTHENTICATED_H +#include +//*********************************************************************** +// Signature Database +//*********************************************************************** +/// +/// The format of a signature database. +/// +#pragma pack(1) + +typedef struct { + /// + /// An identifier which identifies the agent which added the signature to the list. + /// + EFI_GUID SignatureOwner; + /// + /// The format of the signature is defined by the SignatureType. + /// + UINT8 SignatureData[1]; +} EFI_SIGNATURE_DATA; + +typedef struct { + /// + /// Type of the signature. GUID signature types are defined in below. + /// + EFI_GUID SignatureType; + /// + /// Total size of the signature list, including this header. + /// + UINT32 SignatureListSize; + /// + /// Size of the signature header which precedes the array of signatures. + /// + UINT32 SignatureHeaderSize; + /// + /// Size of each signature. + /// + UINT32 SignatureSize; + /// + /// Header before the array of signatures. The format of this header is specified + /// by the SignatureType. + /// UINT8 SignatureHeader[SignatureHeaderSize]; + /// + /// An array of signatures. Each signature is SignatureSize bytes in length. + /// EFI_SIGNATURE_DATA Signatures[][SignatureSize]; + /// +} EFI_SIGNATURE_LIST; + +#pragma pack() + +// +// _WIN_CERTIFICATE.wCertificateType +// +#define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002 +#define WIN_CERT_TYPE_EFI_PKCS115 0x0EF0 +#define WIN_CERT_TYPE_EFI_GUID 0x0EF1 + +#define EFI_CERT_X509_GUID \ + (EFI_GUID){ \ + 0xa5c059a1, 0x94e4, 0x4aa7, {0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72} \ + } + +#define EFI_CERT_RSA2048_GUID \ + (EFI_GUID){ \ + 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} \ + } + + +#define EFI_CERT_TYPE_PKCS7_GUID \ + (EFI_GUID){ \ + 0x4aafd29d, 0x68df, 0x49ee, {0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7} \ + } + +/// +/// WIN_CERTIFICATE_UEFI_GUID.CertType +/// +#define EFI_CERT_TYPE_RSA2048_SHA256_GUID \ + {0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf } } + +/// +/// WIN_CERTIFICATE_UEFI_GUID.CertData +/// +typedef struct { + EFI_GUID HashType; + UINT8 PublicKey[256]; + UINT8 Signature[256]; +} EFI_CERT_BLOCK_RSA_2048_SHA256; + + +/// +/// Certificate which encapsulates a GUID-specific digital signature +/// +typedef struct { + /// + /// This is the standard WIN_CERTIFICATE header, where + /// wCertificateType is set to WIN_CERT_TYPE_UEFI_GUID. + /// + WIN_CERTIFICATE Hdr; + /// + /// This is the unique id which determines the + /// format of the CertData. . + /// + EFI_GUID CertType; + /// + /// The following is the certificate data. The format of + /// the data is determined by the CertType. + /// If CertType is EFI_CERT_TYPE_RSA2048_SHA256_GUID, + /// the CertData will be EFI_CERT_BLOCK_RSA_2048_SHA256 structure. + /// + UINT8 CertData[1]; +} WIN_CERTIFICATE_UEFI_GUID; + + +/// +/// Certificate which encapsulates the RSASSA_PKCS1-v1_5 digital signature. +/// +/// The WIN_CERTIFICATE_UEFI_PKCS1_15 structure is derived from +/// WIN_CERTIFICATE and encapsulate the information needed to +/// implement the RSASSA-PKCS1-v1_5 digital signature algorithm as +/// specified in RFC2437. +/// +typedef struct { + /// + /// This is the standard WIN_CERTIFICATE header, where + /// wCertificateType is set to WIN_CERT_TYPE_UEFI_PKCS1_15. + /// + WIN_CERTIFICATE Hdr; + /// + /// This is the hashing algorithm which was performed on the + /// UEFI executable when creating the digital signature. + /// + EFI_GUID HashAlgorithm; + /// + /// The following is the actual digital signature. The + /// size of the signature is the same size as the key + /// (1024-bit key is 128 bytes) and can be determined by + /// subtracting the length of the other parts of this header + /// from the total length of the certificate as found in + /// Hdr.dwLength. + /// + /// UINT8 Signature[]; + /// +} WIN_CERTIFICATE_EFI_PKCS1_15; + +#define OFFSET_OF(TYPE, Field) ((UINTN) &(((TYPE *)0)->Field)) + +/// +/// Attributes of Authenticated Variable +/// +#define EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS 0x00000010 +#define EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS 0x00000020 +#define EFI_VARIABLE_APPEND_WRITE 0x00000040 + +/// +/// AuthInfo is a WIN_CERTIFICATE using the wCertificateType +/// WIN_CERTIFICATE_UEFI_GUID and the CertType +/// EFI_CERT_TYPE_RSA2048_SHA256_GUID. If the attribute specifies +/// authenticated access, then the Data buffer should begin with an +/// authentication descriptor prior to the data payload and DataSize +/// should reflect the the data.and descriptor size. The caller +/// shall digest the Monotonic Count value and the associated data +/// for the variable update using the SHA-256 1-way hash algorithm. +/// The ensuing the 32-byte digest will be signed using the private +/// key associated w/ the public/private 2048-bit RSA key-pair. The +/// WIN_CERTIFICATE shall be used to describe the signature of the +/// Variable data *Data. In addition, the signature will also +/// include the MonotonicCount value to guard against replay attacks. +/// +typedef struct { + /// + /// Included in the signature of + /// AuthInfo.Used to ensure freshness/no + /// replay. Incremented during each + /// "Write" access. + /// + UINT64 MonotonicCount; + /// + /// Provides the authorization for the variable + /// access. It is a signature across the + /// variable data and the Monotonic Count + /// value. Caller uses Private key that is + /// associated with a public key that has been + /// provisioned via the key exchange. + /// + WIN_CERTIFICATE_UEFI_GUID AuthInfo; +} EFI_VARIABLE_AUTHENTICATION; + +/// +/// When the attribute EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS is +/// set, then the Data buffer shall begin with an instance of a complete (and serialized) +/// EFI_VARIABLE_AUTHENTICATION_2 descriptor. The descriptor shall be followed by the new +/// variable value and DataSize shall reflect the combined size of the descriptor and the new +/// variable value. The authentication descriptor is not part of the variable data and is not +/// returned by subsequent calls to GetVariable(). +/// +typedef struct { + /// + /// For the TimeStamp value, components Pad1, Nanosecond, TimeZone, Daylight and + /// Pad2 shall be set to 0. This means that the time shall always be expressed in GMT. + /// + EFI_TIME TimeStamp; + /// + /// Only a CertType of EFI_CERT_TYPE_PKCS7_GUID is accepted. + /// + WIN_CERTIFICATE_UEFI_GUID AuthInfo; + } EFI_VARIABLE_AUTHENTICATION_2; + +/// +/// Size of AuthInfo prior to the data payload. +/// +#define AUTHINFO_SIZE ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION, AuthInfo)) + \ + (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)) + \ + sizeof (EFI_CERT_BLOCK_RSA_2048_SHA256)) + +#define AUTHINFO2_SIZE(VarAuth2) ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \ + (UINTN) ((EFI_VARIABLE_AUTHENTICATION_2 *) (VarAuth2))->AuthInfo.Hdr.dwLength) + +#define OFFSET_OF_AUTHINFO2_CERT_DATA ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \ + (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData))) + +#endif diff --git a/include/errors.h b/include/errors.h new file mode 100644 index 0000000..0da4bb5 --- /dev/null +++ b/include/errors.h @@ -0,0 +1,9 @@ +#include + +#ifndef EFI_INCOMPATIBLE_VERSION +#define EFI_INCOMPATIBLE_VERSION EFIERR(25) +#endif +#ifndef EFI_SECURITY_VIOLATION +#define EFI_SECURITY_VIOLATION EFIERR(26) +#endif + diff --git a/include/execute.h b/include/execute.h new file mode 100644 index 0000000..9aecbff --- /dev/null +++ b/include/execute.h @@ -0,0 +1,5 @@ +EFI_STATUS +generate_path(CHAR16* name, EFI_LOADED_IMAGE *li, + EFI_DEVICE_PATH **path, CHAR16 **PathName); +EFI_STATUS +execute(EFI_HANDLE image, CHAR16 *name); diff --git a/include/guid.h b/include/guid.h new file mode 100644 index 0000000..10f865a --- /dev/null +++ b/include/guid.h @@ -0,0 +1,18 @@ +#include + +#ifndef BUILD_EFI +const char *guid_to_str(EFI_GUID *guid); +void str_to_guid(const char *str, EFI_GUID *guid); +#endif + +extern EFI_GUID GV_GUID; +extern EFI_GUID SIG_DB; +extern EFI_GUID X509_GUID; +extern EFI_GUID RSA2048_GUID; +extern EFI_GUID PKCS7_GUID; +extern EFI_GUID IMAGE_PROTOCOL; +extern EFI_GUID SIMPLE_FS_PROTOCOL; +extern EFI_GUID EFI_CERT_SHA256_GUID; +extern EFI_GUID MOK_OWNER; +extern EFI_GUID SECURITY_PROTOCOL_GUID; +extern EFI_GUID SECURITY2_PROTOCOL_GUID; diff --git a/include/security_policy.h b/include/security_policy.h new file mode 100644 index 0000000..a1c1002 --- /dev/null +++ b/include/security_policy.h @@ -0,0 +1,6 @@ +EFI_STATUS +security_policy_install(void); +EFI_STATUS +security_policy_uninstall(void); +void +security_protocol_set_hashes(unsigned char *esl, int len); diff --git a/include/shell.h b/include/shell.h new file mode 100644 index 0000000..9cb5d47 --- /dev/null +++ b/include/shell.h @@ -0,0 +1,2 @@ +EFI_STATUS +argsplit(EFI_HANDLE image, int *argc, CHAR16*** ARGV); diff --git a/include/simple_file.h b/include/simple_file.h new file mode 100644 index 0000000..fe4fd97 --- /dev/null +++ b/include/simple_file.h @@ -0,0 +1,21 @@ +EFI_STATUS +simple_file_open (EFI_HANDLE image, CHAR16 *name, EFI_FILE **file, UINT64 mode); +EFI_STATUS +simple_file_open_by_handle(EFI_HANDLE device, CHAR16 *name, EFI_FILE **file, UINT64 mode); +EFI_STATUS +simple_file_read_all(EFI_FILE *file, UINTN *size, void **buffer); +EFI_STATUS +simple_file_write_all(EFI_FILE *file, UINTN size, void *buffer); +void +simple_file_close(EFI_FILE *file); +EFI_STATUS +simple_dir_read_all(EFI_HANDLE image, CHAR16 *name, EFI_FILE_INFO **Entries, + int *count); +EFI_STATUS +simple_dir_filter(EFI_HANDLE image, CHAR16 *name, CHAR16 *filter, + CHAR16 ***result, int *count, EFI_FILE_INFO **entries); +void +simple_file_selector(EFI_HANDLE *im, CHAR16 **title, CHAR16 *name, + CHAR16 *filter, CHAR16 **result); +EFI_STATUS +simple_volume_selector(CHAR16 **title, CHAR16 **selected, EFI_HANDLE *h); diff --git a/include/variables.h b/include/variables.h new file mode 100644 index 0000000..c171bd5 --- /dev/null +++ b/include/variables.h @@ -0,0 +1,59 @@ +#include + +#include /* for SHA256_DIGEST_SIZE */ + +#define certlist_for_each_certentry(cl, cl_init, s, s_init) \ + for (cl = (EFI_SIGNATURE_LIST *)(cl_init), s = (s_init); \ + s > 0 && s >= cl->SignatureListSize; \ + s -= cl->SignatureListSize, \ + cl = (EFI_SIGNATURE_LIST *) ((UINT8 *)cl + cl->SignatureListSize)) + +/* + * Warning: this assumes (cl)->SignatureHeaderSize is zero. It is for all + * the signatures we process (X509, RSA2048, SHA256) + */ +#define certentry_for_each_cert(c, cl) \ + for (c = (EFI_SIGNATURE_DATA *)((UINT8 *) (cl) + sizeof(EFI_SIGNATURE_LIST) + (cl)->SignatureHeaderSize); \ + (UINT8 *)c < ((UINT8 *)(cl)) + (cl)->SignatureListSize; \ + c = (EFI_SIGNATURE_DATA *)((UINT8 *)c + (cl)->SignatureSize)) + +EFI_STATUS +CreatePkX509SignatureList ( + IN UINT8 *X509Data, + IN UINTN X509DataSize, + IN EFI_GUID owner, + OUT EFI_SIGNATURE_LIST **PkCert + ); +EFI_STATUS +CreateTimeBasedPayload ( + IN OUT UINTN *DataSize, + IN OUT UINT8 **Data + ); +EFI_STATUS +SetSecureVariable(CHAR16 *var, UINT8 *Data, UINTN len, EFI_GUID owner, UINT32 options, int createtimebased); +EFI_STATUS +get_variable(CHAR16 *var, UINT8 **data, UINTN *len, EFI_GUID owner); +EFI_STATUS +get_variable_attr(CHAR16 *var, UINT8 **data, UINTN *len, EFI_GUID owner, + UINT32 *attributes); +EFI_STATUS +find_in_esl(UINT8 *Data, UINTN DataSize, UINT8 *key, UINTN keylen); +EFI_STATUS +find_in_variable_esl(CHAR16* var, EFI_GUID owner, UINT8 *key, UINTN keylen); + +#define EFI_OS_INDICATIONS_BOOT_TO_FW_UI 0x0000000000000001 + +UINT64 +GetOSIndications(void); +EFI_STATUS +SETOSIndicationsAndReboot(UINT64 indications); +int +variable_is_secureboot(void); +int +variable_is_setupmode(void); +EFI_STATUS +variable_enroll_hash(CHAR16 *var, EFI_GUID owner, + UINT8 hash[SHA256_DIGEST_SIZE]); +EFI_STATUS +variable_create_esl(void *cert, int cert_len, EFI_GUID *type, EFI_GUID *owner, + void **out, int *outlen); diff --git a/include/version.h b/include/version.h new file mode 100644 index 0000000..09fd44a --- /dev/null +++ b/include/version.h @@ -0,0 +1,8 @@ +#define VERSION "1.3.4" + +static void +version(const char *progname) +{ + printf("%s " VERSION "\n", progname); +} + diff --git a/include/wincert.h b/include/wincert.h new file mode 100644 index 0000000..68d1974 --- /dev/null +++ b/include/wincert.h @@ -0,0 +1,33 @@ +#ifndef _INC_WINCERT_H +#define _INC_WINCERT_H + +/// +/// The WIN_CERTIFICATE structure is part of the PE/COFF specification. +/// +typedef struct { + /// + /// The length of the entire certificate, + /// including the length of the header, in bytes. + /// + UINT32 dwLength; + /// + /// The revision level of the WIN_CERTIFICATE + /// structure. The current revision level is 0x0200. + /// + UINT16 wRevision; + /// + /// The certificate type. See WIN_CERT_TYPE_xxx for the UEFI + /// certificate types. The UEFI specification reserves the range of + /// certificate type values from 0x0EF0 to 0x0EFF. + /// + UINT16 wCertificateType; + /// + /// The following is the actual certificate. The format of + /// the certificate depends on wCertificateType. + /// + /// UINT8 bCertificate[ANYSIZE_ARRAY]; + /// +} WIN_CERTIFICATE; + + +#endif diff --git a/lib/Makefile b/lib/Makefile new file mode 100644 index 0000000..be5f354 --- /dev/null +++ b/lib/Makefile @@ -0,0 +1,28 @@ +TARGET = lib.a + +LIBFILES = simple_file.o guid.o console.o execute.o configtable.o shell.o + +ARCH = $(shell uname -m | sed s,i[3456789]86,ia32,) + +EFI_INCLUDE = /usr/include/efi +EFI_INCLUDES = -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -I../include +EFI_PATH = /usr/lib64/gnuefi + +EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o +EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds + +CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ + -fshort-wchar -Wall -mno-red-zone -DBUILD_EFI $(EFI_INCLUDES) +ifeq ($(ARCH),x86_64) + CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI +endif + +lib.a: $(LIBFILES) + ar rcs lib.a $(LIBFILES) + +all: $(TARGET) + +clean: + rm -f lib.a + rm -f $(LIBFILES) + diff --git a/lib/configtable.c b/lib/configtable.c new file mode 100644 index 0000000..735ce8f --- /dev/null +++ b/lib/configtable.c @@ -0,0 +1,144 @@ +/* + * Copyright 2013 + * + * see COPYING file + * + * read some platform configuration tables + */ +#include +#include + +#include +#include + +void * +configtable_get_table(EFI_GUID *guid) +{ + int i; + + for (i = 0; i < ST->NumberOfTableEntries; i++) { + EFI_CONFIGURATION_TABLE *CT = &ST->ConfigurationTable[i]; + + if (CompareGuid(guid, &CT->VendorGuid) == 0) { + return CT->VendorTable; + } + } + return NULL; +} + +EFI_IMAGE_EXECUTION_INFO_TABLE * +configtable_get_image_table(void) +{ + return configtable_get_table(&SIG_DB); +} + +EFI_IMAGE_EXECUTION_INFO * +configtable_find_image(const EFI_DEVICE_PATH *DevicePath) +{ + EFI_IMAGE_EXECUTION_INFO_TABLE *t = configtable_get_image_table(); + + if (!t) + return NULL; + + int entries = t->NumberOfImages; + EFI_IMAGE_EXECUTION_INFO *e = t->InformationInfo; + + int i; + for (i = 0; i < entries; i++) { +#ifdef DEBUG_CONFIG + Print(L"InfoSize = %d Action = %d\n", e->InfoSize, e->Action); + + /* print what we have for debugging */ + UINT8 *d = (UINT8 *)e; // + sizeof(UINT32)*2; + Print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n", + d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]); + d += 16; + Print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n", + d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]); + d += 16; + Print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n", + d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]); + d += 16; + Print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n", + d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]); + d += 16; + Print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n", + d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]); + d += 16; + Print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n", + d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]); +#endif + CHAR16 *name = (CHAR16 *)(e->Data); + int skip = 0; + + /* There's a bug in a lot of EFI platforms and they forget to + * put the name here. The only real way of detecting it is to + * look for either a UC16 NULL or ASCII as UC16 */ + if (name[0] == '\0' || (e->Data[1] == 0 && e->Data[3] == 0)) { + skip = StrSize(name); +#ifdef DEBUG_CONFIG + Print(L"FOUND NAME %s (%d)\n", name, skip); +#endif + } + EFI_DEVICE_PATH *dp = (EFI_DEVICE_PATH *)(e->Data + skip), *dpn = dp; + if (dp->Type == 0 || dp->Type > 6 || dp->SubType == 0 + || (((dp->Length[1] << 8) + dp->Length[0]) > e->InfoSize)) { + /* Parse error, table corrupt, bail */ + Print(L"Image Execution Information table corrupt\n"); + break; + } + + UINTN Size; + DevicePathInstance(&dpn, &Size); +#ifdef DEBUG_CONFIG + Print(L"Path: %s\n", DevicePathToStr(dp)); + Print(L"Device Path Size %d\n", Size); +#endif + if (Size > e->InfoSize) { + /* parse error; the platform obviously has a + * corrupted image table; bail */ + Print(L"Image Execution Information table corrupt\n"); + break; + } + + if (CompareMem(dp, DevicePath, Size) == 0) { +#ifdef DEBUG_CONFIG + Print(L"***FOUND\n"); + console_get_keystroke(); +#endif + return e; + } + e = (EFI_IMAGE_EXECUTION_INFO *)((UINT8 *)e + e->InfoSize); + } + +#ifdef DEBUG_CONFIG + Print(L"***NOT FOUND\n"); + console_get_keystroke(); +#endif + + return NULL; +} + +int +configtable_image_is_forbidden(const EFI_DEVICE_PATH *DevicePath) +{ + EFI_IMAGE_EXECUTION_INFO *e = configtable_find_image(DevicePath); + + /* Image may not be in DB if it gets executed successfully If it is, + * and EFI_IMAGE_EXECUTION_INITIALIZED is not set, then the image + * isn't authenticated. If there's no signature, usually + * EFI_IMAGE_EXECUTION_AUTH_UNTESTED is set, if the hash is in dbx, + * EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND is returned, and if the key is + * in dbx, EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED is returned*/ + + if (e && (e->Action == EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND + || e->Action == EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED)) { + /* this means the images signing key is in dbx */ +#ifdef DEBUG_CONFIG + Print(L"SIGNATURE IS IN DBX, FORBIDDING EXECUTION\n"); +#endif + return 1; + } + + return 0; +} diff --git a/lib/console.c b/lib/console.c new file mode 100644 index 0000000..af01f03 --- /dev/null +++ b/lib/console.c @@ -0,0 +1,402 @@ +/* + * Copyright 2012 + * + * see COPYING file + */ +#include +#include + +#include +#include + +static int min(int a, int b) +{ + if (a < b) + return a; + return b; +} + +static int +count_lines(CHAR16 *str_arr[]) +{ + int i = 0; + + while (str_arr[i]) + i++; + return i; +} + +static void +SetMem16(CHAR16 *dst, UINT32 n, CHAR16 c) +{ + int i; + + for (i = 0; i < n/2; i++) { + dst[i] = c; + } +} + +EFI_INPUT_KEY +console_get_keystroke(void) +{ + EFI_INPUT_KEY key; + UINTN EventIndex; + + uefi_call_wrapper(BS->WaitForEvent, 3, 1, &ST->ConIn->WaitForKey, &EventIndex); + uefi_call_wrapper(ST->ConIn->ReadKeyStroke, 2, ST->ConIn, &key); + + return key; +} + +void +console_print_box_at(CHAR16 *str_arr[], int highlight, int start_col, int start_row, int size_cols, int size_rows, int offset, int lines) +{ + int i; + SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut; + UINTN rows, cols; + CHAR16 *Line; + + if (lines == 0) + return; + + uefi_call_wrapper(co->QueryMode, 4, co, co->Mode->Mode, &cols, &rows); + + /* last row on screen is unusable without scrolling, so ignore it */ + rows--; + + if (size_rows < 0) + size_rows = rows + size_rows + 1; + if (size_cols < 0) + size_cols = cols + size_cols + 1; + + if (start_col < 0) + start_col = (cols + start_col + 2)/2; + if (start_row < 0) + start_row = (rows + start_row + 2)/2; + if (start_col < 0) + start_col = 0; + if (start_row < 0) + start_row = 0; + + if (start_col > cols || start_row > rows) { + Print(L"Starting Position (%d,%d) is off screen\n", + start_col, start_row); + return; + } + if (size_cols + start_col > cols) + size_cols = cols - start_col; + if (size_rows + start_row > rows) + size_rows = rows - start_row; + + if (lines > size_rows - 2) + lines = size_rows - 2; + + Line = AllocatePool((size_cols+1)*sizeof(CHAR16)); + if (!Line) { + Print(L"Failed Allocation\n"); + return; + } + + SetMem16 (Line, size_cols * 2, BOXDRAW_HORIZONTAL); + + Line[0] = BOXDRAW_DOWN_RIGHT; + Line[size_cols - 1] = BOXDRAW_DOWN_LEFT; + Line[size_cols] = L'\0'; + uefi_call_wrapper(co->SetCursorPosition, 3, co, start_col, start_row); + uefi_call_wrapper(co->OutputString, 2, co, Line); + + int start; + if (offset == 0) + /* middle */ + start = (size_rows - lines)/2 + start_row + offset; + else if (offset < 0) + /* from bottom */ + start = start_row + size_rows - lines + offset - 1; + else + /* from top */ + start = start_row + offset; + + + for (i = start_row + 1; i < size_rows + start_row - 1; i++) { + int line = i - start; + + SetMem16 (Line, size_cols*2, L' '); + Line[0] = BOXDRAW_VERTICAL; + Line[size_cols - 1] = BOXDRAW_VERTICAL; + Line[size_cols] = L'\0'; + if (line >= 0 && line < lines) { + CHAR16 *s = str_arr[line]; + int len = StrLen(s); + int col = (size_cols - 2 - len)/2; + + if (col < 0) + col = 0; + + CopyMem(Line + col + 1, s, min(len, size_cols - 2)*2); + } + if (line >= 0 && line == highlight) + uefi_call_wrapper(co->SetAttribute, 2, co, EFI_LIGHTGRAY | EFI_BACKGROUND_BLACK); + uefi_call_wrapper(co->SetCursorPosition, 3, co, start_col, i); + uefi_call_wrapper(co->OutputString, 2, co, Line); + if (line >= 0 && line == highlight) + uefi_call_wrapper(co->SetAttribute, 2, co, EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE); + + } + SetMem16 (Line, size_cols * 2, BOXDRAW_HORIZONTAL); + Line[0] = BOXDRAW_UP_RIGHT; + Line[size_cols - 1] = BOXDRAW_UP_LEFT; + Line[size_cols] = L'\0'; + uefi_call_wrapper(co->SetCursorPosition, 3, co, start_col, i); + uefi_call_wrapper(co->OutputString, 2, co, Line); + + FreePool (Line); + +} + +void +console_print_box(CHAR16 *str_arr[], int highlight) +{ + SIMPLE_TEXT_OUTPUT_MODE SavedConsoleMode; + SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut; + CopyMem(&SavedConsoleMode, co->Mode, sizeof(SavedConsoleMode)); + uefi_call_wrapper(co->EnableCursor, 2, co, FALSE); + uefi_call_wrapper(co->SetAttribute, 2, co, EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE); + + console_print_box_at(str_arr, highlight, 0, 0, -1, -1, 0, + count_lines(str_arr)); + + console_get_keystroke(); + + uefi_call_wrapper(co->EnableCursor, 2, co, SavedConsoleMode.CursorVisible); + + uefi_call_wrapper(co->EnableCursor, 2, co, SavedConsoleMode.CursorVisible); + uefi_call_wrapper(co->SetCursorPosition, 3, co, SavedConsoleMode.CursorColumn, SavedConsoleMode.CursorRow); + uefi_call_wrapper(co->SetAttribute, 2, co, SavedConsoleMode.Attribute); +} + +int +console_select(CHAR16 *title[], CHAR16* selectors[], int start) +{ + SIMPLE_TEXT_OUTPUT_MODE SavedConsoleMode; + SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut; + EFI_INPUT_KEY k; + int selector; + int selector_lines = count_lines(selectors); + int selector_max_cols = 0; + int i, offs_col, offs_row, size_cols, size_rows, lines; + int selector_offset; + UINTN cols, rows; + + uefi_call_wrapper(co->QueryMode, 4, co, co->Mode->Mode, &cols, &rows); + + for (i = 0; i < selector_lines; i++) { + int len = StrLen(selectors[i]); + + if (len > selector_max_cols) + selector_max_cols = len; + } + + if (start < 0) + start = 0; + if (start >= selector_lines) + start = selector_lines - 1; + + offs_col = - selector_max_cols - 4; + size_cols = selector_max_cols + 4; + + if (selector_lines > rows - 10) { + int title_lines = count_lines(title); + offs_row = title_lines + 1; + size_rows = rows - 3 - title_lines; + lines = size_rows - 2; + } else { + offs_row = - selector_lines - 4; + size_rows = selector_lines + 2; + lines = selector_lines; + } + + if (start > lines) { + selector = lines; + selector_offset = start - lines; + } else { + selector = start; + selector_offset = 0; + } + + CopyMem(&SavedConsoleMode, co->Mode, sizeof(SavedConsoleMode)); + uefi_call_wrapper(co->EnableCursor, 2, co, FALSE); + uefi_call_wrapper(co->SetAttribute, 2, co, EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE); + + console_print_box_at(title, -1, 0, 0, -1, -1, 1, count_lines(title)); + + console_print_box_at(selectors, selector, offs_col, offs_row, + size_cols, size_rows, 0, lines); + + do { + k = console_get_keystroke(); + + if (k.ScanCode == SCAN_ESC) { + selector = -1; + break; + } + + if (k.ScanCode == SCAN_UP) { + if (selector > 0) + selector--; + else if (selector_offset > 0) + selector_offset--; + } else if (k.ScanCode == SCAN_DOWN) { + if (selector < lines - 1) + selector++; + else if (selector_offset < (selector_lines - lines)) + selector_offset++; + } + + console_print_box_at(&selectors[selector_offset], selector, + offs_col, offs_row, + size_cols, size_rows, 0, lines); + } while (!(k.ScanCode == SCAN_NULL + && k.UnicodeChar == CHAR_CARRIAGE_RETURN)); + + uefi_call_wrapper(co->EnableCursor, 2, co, SavedConsoleMode.CursorVisible); + + uefi_call_wrapper(co->EnableCursor, 2, co, SavedConsoleMode.CursorVisible); + uefi_call_wrapper(co->SetCursorPosition, 3, co, SavedConsoleMode.CursorColumn, SavedConsoleMode.CursorRow); + uefi_call_wrapper(co->SetAttribute, 2, co, SavedConsoleMode.Attribute); + + if (selector < 0) + /* ESC pressed */ + return selector; + return selector + selector_offset; +} + + +int +console_yes_no(CHAR16 *str_arr[]) +{ + return console_select(str_arr, (CHAR16 *[]){ L"No", L"Yes", NULL }, 0); +} + +void +console_alertbox(CHAR16 **title) +{ + console_select(title, (CHAR16 *[]){ L"OK", 0 }, 0); +} + +void +console_errorbox(CHAR16 *err) +{ + CHAR16 **err_arr = (CHAR16 *[]){ + L"ERROR", + L"", + 0, + 0, + }; + + err_arr[2] = err; + + console_alertbox(err_arr); +} + +void +console_notify(CHAR16 *string) +{ + CHAR16 **str_arr = (CHAR16 *[]){ + 0, + 0, + }; + + str_arr[0] = string; + + console_alertbox(str_arr); +} + +#define ARRAY_SIZE(a) (sizeof (a) / sizeof ((a)[0])) + +/* Copy of gnu-efi-3.0 with the added secure boot strings */ +static struct { + EFI_STATUS Code; + WCHAR *Desc; +} error_table[] = { + { EFI_SUCCESS, L"Success"}, + { EFI_LOAD_ERROR, L"Load Error"}, + { EFI_INVALID_PARAMETER, L"Invalid Parameter"}, + { EFI_UNSUPPORTED, L"Unsupported"}, + { EFI_BAD_BUFFER_SIZE, L"Bad Buffer Size"}, + { EFI_BUFFER_TOO_SMALL, L"Buffer Too Small"}, + { EFI_NOT_READY, L"Not Ready"}, + { EFI_DEVICE_ERROR, L"Device Error"}, + { EFI_WRITE_PROTECTED, L"Write Protected"}, + { EFI_OUT_OF_RESOURCES, L"Out of Resources"}, + { EFI_VOLUME_CORRUPTED, L"Volume Corrupt"}, + { EFI_VOLUME_FULL, L"Volume Full"}, + { EFI_NO_MEDIA, L"No Media"}, + { EFI_MEDIA_CHANGED, L"Media changed"}, + { EFI_NOT_FOUND, L"Not Found"}, + { EFI_ACCESS_DENIED, L"Access Denied"}, + { EFI_NO_RESPONSE, L"No Response"}, + { EFI_NO_MAPPING, L"No mapping"}, + { EFI_TIMEOUT, L"Time out"}, + { EFI_NOT_STARTED, L"Not started"}, + { EFI_ALREADY_STARTED, L"Already started"}, + { EFI_ABORTED, L"Aborted"}, + { EFI_ICMP_ERROR, L"ICMP Error"}, + { EFI_TFTP_ERROR, L"TFTP Error"}, + { EFI_PROTOCOL_ERROR, L"Protocol Error"}, + { EFI_INCOMPATIBLE_VERSION, L"Incompatible Version"}, + { EFI_SECURITY_VIOLATION, L"Security Violation"}, + + // warnings + { EFI_WARN_UNKOWN_GLYPH, L"Warning Unknown Glyph"}, + { EFI_WARN_DELETE_FAILURE, L"Warning Delete Failure"}, + { EFI_WARN_WRITE_FAILURE, L"Warning Write Failure"}, + { EFI_WARN_BUFFER_TOO_SMALL, L"Warning Buffer Too Small"}, + { 0, NULL} +} ; + + +static CHAR16 * +err_string ( + IN EFI_STATUS Status + ) +{ + UINTN Index; + + for (Index = 0; error_table[Index].Desc; Index +=1) { + if (error_table[Index].Code == Status) { + return error_table[Index].Desc; + } + } + + return L""; +} + + +void +console_error(CHAR16 *err, EFI_STATUS status) +{ + CHAR16 **err_arr = (CHAR16 *[]){ + L"ERROR", + L"", + 0, + 0, + }; + CHAR16 str[512]; + + SPrint(str, sizeof(str), L"%s: (%d) %s", err, status, err_string(status)); + + err_arr[2] = str; + + console_alertbox(err_arr); +} + +void +console_reset(void) +{ + SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut; + + uefi_call_wrapper(co->Reset, 2, co, TRUE); + /* set mode 0 - required to be 80x25 */ + uefi_call_wrapper(co->SetMode, 2, co, 0); + uefi_call_wrapper(co->ClearScreen, 1, co); +} diff --git a/lib/execute.c b/lib/execute.c new file mode 100644 index 0000000..8d726eb --- /dev/null +++ b/lib/execute.c @@ -0,0 +1,127 @@ +/* + * Copyright 2012 + * + * see COPYING file + * + * -- + * + * generate_path is a cut and paste from + * + * git://github.com/mjg59/shim.git + * + * Code Copyright 2012 Red Hat, Inc + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include +#include + +#include +#include + +EFI_STATUS +generate_path(CHAR16* name, EFI_LOADED_IMAGE *li, EFI_DEVICE_PATH **path, CHAR16 **PathName) +{ + unsigned int pathlen; + EFI_STATUS efi_status = EFI_SUCCESS; + CHAR16 *devpathstr = DevicePathToStr(li->FilePath), + *found = NULL; + int i; + + for (i = 0; i < StrLen(devpathstr); i++) { + if (devpathstr[i] == '/') + devpathstr[i] = '\\'; + if (devpathstr[i] == '\\') + found = &devpathstr[i]; + } + if (!found) { + pathlen = 0; + } else { + while (*(found - 1) == '\\') + --found; + *found = '\0'; + pathlen = StrLen(devpathstr); + } + + if (name[0] != '\\') + pathlen++; + + *PathName = AllocatePool((pathlen + 1 + StrLen(name))*sizeof(CHAR16)); + + if (!*PathName) { + Print(L"Failed to allocate path buffer\n"); + efi_status = EFI_OUT_OF_RESOURCES; + goto error; + } + + StrCpy(*PathName, devpathstr); + + if (name[0] != '\\') + StrCat(*PathName, L"\\"); + StrCat(*PathName, name); + + *path = FileDevicePath(li->DeviceHandle, *PathName); + +error: + FreePool(devpathstr); + + return efi_status; +} + +EFI_STATUS +execute(EFI_HANDLE image, CHAR16 *name) +{ + EFI_STATUS status; + EFI_HANDLE h; + EFI_LOADED_IMAGE *li; + EFI_DEVICE_PATH *devpath; + CHAR16 *PathName; + + status = uefi_call_wrapper(BS->HandleProtocol, 3, image, + &IMAGE_PROTOCOL, &li); + if (status != EFI_SUCCESS) + return status; + + + status = generate_path(name, li, &devpath, &PathName); + if (status != EFI_SUCCESS) + return status; + + status = uefi_call_wrapper(BS->LoadImage, 6, FALSE, image, + devpath, NULL, 0, &h); + if (status != EFI_SUCCESS) + goto out; + + status = uefi_call_wrapper(BS->StartImage, 3, h, NULL, NULL); + uefi_call_wrapper(BS->UnloadImage, 1, h); + + out: + FreePool(PathName); + FreePool(devpath); + return status; +} diff --git a/lib/guid.c b/lib/guid.c new file mode 100644 index 0000000..25db91a --- /dev/null +++ b/lib/guid.c @@ -0,0 +1,47 @@ +/* + * Copyright 2012 + * + * see COPYING file + */ + +#include +#include + +#ifndef BUILD_EFI +/* EFI has %g for this, so it's only needed in platform c */ +const char *guid_to_str(EFI_GUID *guid) +{ + static char str[256]; + + sprintf(str, "%08x-%04hx-%04hx-%02hhx%02hhx-%02hhx%02hhx%02hhx%02hhx%02hhx%02hhx", + guid->Data1, guid->Data2, guid->Data3, + guid->Data4[0], guid->Data4[1], guid->Data4[2], + guid->Data4[3], guid->Data4[4], guid->Data4[5], + guid->Data4[6], guid->Data4[7]); + + return str; +} + +void str_to_guid(const char *str, EFI_GUID *guid) +{ + sscanf(str, "%8x-%4hx-%4hx-%2hhx%2hhx-%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx", + &guid->Data1, &guid->Data2, &guid->Data3, + guid->Data4, guid->Data4 + 1, guid->Data4 + 2, + guid->Data4 + 3, guid->Data4 + 4, guid->Data4 + 5, + guid->Data4 + 6, guid->Data4 + 7); +} +#endif + +/* all the necessary guids */ +EFI_GUID GV_GUID = EFI_GLOBAL_VARIABLE; +EFI_GUID SIG_DB = { 0xd719b2cb, 0x3d3a, 0x4596, {0xa3, 0xbc, 0xda, 0xd0, 0xe, 0x67, 0x65, 0x6f }}; + +EFI_GUID X509_GUID = { 0xa5c059a1, 0x94e4, 0x4aa7, {0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72} }; +EFI_GUID RSA2048_GUID = { 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} }; +EFI_GUID PKCS7_GUID = { 0x4aafd29d, 0x68df, 0x49ee, {0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7} }; +EFI_GUID IMAGE_PROTOCOL = LOADED_IMAGE_PROTOCOL; +EFI_GUID SIMPLE_FS_PROTOCOL = SIMPLE_FILE_SYSTEM_PROTOCOL; +EFI_GUID EFI_CERT_SHA256_GUID = { 0xc1c41626, 0x504c, 0x4092, { 0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 } }; +EFI_GUID MOK_OWNER = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }; +EFI_GUID SECURITY_PROTOCOL_GUID = { 0xA46423E3, 0x4617, 0x49f1, {0xB9, 0xFF, 0xD1, 0xBF, 0xA9, 0x11, 0x58, 0x39 } }; +EFI_GUID SECURITY2_PROTOCOL_GUID = { 0x94ab2f58, 0x1438, 0x4ef1, {0x91, 0x52, 0x18, 0x94, 0x1a, 0x3a, 0x0e, 0x68 } }; diff --git a/lib/security_policy.c b/lib/security_policy.c new file mode 100644 index 0000000..e7becbf --- /dev/null +++ b/lib/security_policy.c @@ -0,0 +1,391 @@ +/* + * Copyright 2012 + * + * see COPYING file + * + * Install and remove a platform security2 override policy + */ + +#include +#include + +#include +#include +#include +#include +#include + +#include + +/* + * See the UEFI Platform Initialization manual (Vol2: DXE) for this + */ +struct _EFI_SECURITY2_PROTOCOL; +struct _EFI_SECURITY_PROTOCOL; +typedef struct _EFI_SECURITY2_PROTOCOL EFI_SECURITY2_PROTOCOL; +typedef struct _EFI_SECURITY_PROTOCOL EFI_SECURITY_PROTOCOL; +typedef EFI_DEVICE_PATH EFI_DEVICE_PATH_PROTOCOL; + +typedef EFI_STATUS (EFIAPI *EFI_SECURITY_FILE_AUTHENTICATION_STATE) ( + const EFI_SECURITY_PROTOCOL *This, + UINT32 AuthenticationStatus, + const EFI_DEVICE_PATH_PROTOCOL *File + ); +typedef EFI_STATUS (EFIAPI *EFI_SECURITY2_FILE_AUTHENTICATION) ( + const EFI_SECURITY2_PROTOCOL *This, + const EFI_DEVICE_PATH_PROTOCOL *DevicePath, + VOID *FileBuffer, + UINTN FileSize, + BOOLEAN BootPolicy + ); + +struct _EFI_SECURITY2_PROTOCOL { + EFI_SECURITY2_FILE_AUTHENTICATION FileAuthentication; +}; + +struct _EFI_SECURITY_PROTOCOL { + EFI_SECURITY_FILE_AUTHENTICATION_STATE FileAuthenticationState; +}; + + +static UINT8 *security_policy_esl = NULL; +static UINTN security_policy_esl_len; + +static EFI_STATUS +security_policy_check_mok(void *data, UINTN len) +{ + EFI_STATUS status; + UINT8 hash[SHA256_DIGEST_SIZE]; + UINT32 attr; + UINT8 *VarData; + UINTN VarLen; + + /* first check is MokSBState. If we're in insecure mode, boot + * anyway regardless of dbx contents */ + status = get_variable_attr(L"MokSBState", &VarData, &VarLen, + MOK_OWNER, &attr); + if (status == EFI_SUCCESS) { + UINT8 MokSBState = VarData[0]; + + FreePool(VarData); + if ((attr & EFI_VARIABLE_RUNTIME_ACCESS) == 0 + && MokSBState) + return EFI_SUCCESS; + } + + status = sha256_get_pecoff_digest_mem(data, len, hash); + if (status != EFI_SUCCESS) + return status; + + if (find_in_variable_esl(L"dbx", SIG_DB, hash, SHA256_DIGEST_SIZE) + == EFI_SUCCESS) + /* MOK list cannot override dbx */ + return EFI_SECURITY_VIOLATION; + + status = get_variable_attr(L"MokList", &VarData, &VarLen, MOK_OWNER, + &attr); + if (status != EFI_SUCCESS) + goto check_tmplist; + + FreePool(VarData); + + if (attr & EFI_VARIABLE_RUNTIME_ACCESS) + goto check_tmplist; + + if (find_in_variable_esl(L"MokList", MOK_OWNER, hash, SHA256_DIGEST_SIZE) == EFI_SUCCESS) + return EFI_SUCCESS; + + check_tmplist: + if (security_policy_esl + && find_in_esl(security_policy_esl, security_policy_esl_len, hash, + SHA256_DIGEST_SIZE) == EFI_SUCCESS) + return EFI_SUCCESS; + + return EFI_SECURITY_VIOLATION; +} + +static EFI_SECURITY_FILE_AUTHENTICATION_STATE esfas = NULL; +static EFI_SECURITY2_FILE_AUTHENTICATION es2fa = NULL; + +static EFI_STATUS thunk_security_policy_authentication( + const EFI_SECURITY_PROTOCOL *This, + UINT32 AuthenticationStatus, + const EFI_DEVICE_PATH_PROTOCOL *DevicePath + ) +__attribute__((unused)); + +static EFI_STATUS thunk_security2_policy_authentication( + const EFI_SECURITY2_PROTOCOL *This, + const EFI_DEVICE_PATH_PROTOCOL *DevicePath, + VOID *FileBuffer, + UINTN FileSize, + BOOLEAN BootPolicy + ) +__attribute__((unused)); + +static __attribute__((used)) EFI_STATUS +security2_policy_authentication ( + const EFI_SECURITY2_PROTOCOL *This, + const EFI_DEVICE_PATH_PROTOCOL *DevicePath, + VOID *FileBuffer, + UINTN FileSize, + BOOLEAN BootPolicy + ) +{ + EFI_STATUS status, auth; + + /* Chain original security policy */ + + status = uefi_call_wrapper(es2fa, 5, This, DevicePath, FileBuffer, + FileSize, BootPolicy); + + /* if OK, don't bother with MOK check */ + if (status == EFI_SUCCESS) + return status; + + auth = security_policy_check_mok(FileBuffer, FileSize); + + if (auth == EFI_SECURITY_VIOLATION || auth == EFI_ACCESS_DENIED) + /* return previous status, which is the correct one + * for the platform: may be either EFI_ACCESS_DENIED + * or EFI_SECURITY_VIOLATION */ + return status; + + return auth; +} + +static __attribute__((used)) EFI_STATUS +security_policy_authentication ( + const EFI_SECURITY_PROTOCOL *This, + UINT32 AuthenticationStatus, + const EFI_DEVICE_PATH_PROTOCOL *DevicePathConst + ) +{ + EFI_STATUS status, fail_status; + EFI_DEVICE_PATH *DevPath + = DuplicateDevicePath((EFI_DEVICE_PATH *)DevicePathConst), + *OrigDevPath = DevPath; + EFI_HANDLE h; + EFI_FILE *f; + VOID *FileBuffer; + UINTN FileSize; + CHAR16* DevPathStr; + + /* Chain original security policy */ + status = uefi_call_wrapper(esfas, 3, This, AuthenticationStatus, + DevicePathConst); + + /* if OK avoid checking MOK: It's a bit expensive to + * read the whole file in again (esfas already did this) */ + if (status == EFI_SUCCESS) + goto out; + + /* capture failure status: may be either EFI_ACCESS_DENIED or + * EFI_SECURITY_VIOLATION */ + fail_status = status; + + status = uefi_call_wrapper(BS->LocateDevicePath, 3, + &SIMPLE_FS_PROTOCOL, &DevPath, &h); + if (status != EFI_SUCCESS) + goto out; + + DevPathStr = DevicePathToStr(DevPath); + + status = simple_file_open_by_handle(h, DevPathStr, &f, + EFI_FILE_MODE_READ); + FreePool(DevPathStr); + if (status != EFI_SUCCESS) + goto out; + + status = simple_file_read_all(f, &FileSize, &FileBuffer); + simple_file_close(f); + if (status != EFI_SUCCESS) + goto out; + + status = security_policy_check_mok(FileBuffer, FileSize); + FreePool(FileBuffer); + + if (status == EFI_ACCESS_DENIED || status == EFI_SECURITY_VIOLATION) + /* return what the platform originally said */ + status = fail_status; + out: + FreePool(OrigDevPath); + return status; +} + + +/* Nasty: ELF and EFI have different calling conventions. Here is the map for + * calling ELF -> EFI + * + * 1) rdi -> rcx (32 saved) + * 2) rsi -> rdx (32 saved) + * 3) rdx -> r8 ( 32 saved) + * 4) rcx -> r9 (32 saved) + * 5) r8 -> 32(%rsp) (48 saved) + * 6) r9 -> 40(%rsp) (48 saved) + * 7) pad+0(%rsp) -> 48(%rsp) (64 saved) + * 8) pad+8(%rsp) -> 56(%rsp) (64 saved) + * 9) pad+16(%rsp) -> 64(%rsp) (80 saved) + * 10) pad+24(%rsp) -> 72(%rsp) (80 saved) + * 11) pad+32(%rsp) -> 80(%rsp) (96 saved) + + * + * So for a five argument callback, the map is ignore the first two arguments + * and then map (EFI -> ELF) assuming pad = 0. + * + * ARG4 -> ARG1 + * ARG3 -> ARG2 + * ARG5 -> ARG3 + * ARG6 -> ARG4 + * ARG11 -> ARG5 + * + * Calling conventions also differ over volatile and preserved registers in + * MS: RBX, RBP, RDI, RSI, R12, R13, R14, and R15 are considered nonvolatile . + * In ELF: Registers %rbp, %rbx and %r12 through %r15 “belong” to the calling + * function and the called function is required to preserve their values. + * + * This means when accepting a function callback from MS -> ELF, we have to do + * separate preservation on %rdi, %rsi before swizzling the arguments and + * handing off to the ELF function. + */ + +asm ( +".type security2_policy_authentication,@function\n" +"thunk_security2_policy_authentication:\n\t" + "mov 0x28(%rsp), %r10 # ARG5\n\t" + "push %rdi\n\t" + "push %rsi\n\t" + "mov %r10, %rdi\n\t" + "subq $8, %rsp # space for storing stack pad\n\t" + "mov $0x08, %rax\n\t" + "mov $0x10, %r10\n\t" + "and %rsp, %rax\n\t" + "cmovnz %rax, %r11\n\t" + "cmovz %r10, %r11\n\t" + "subq %r11, %rsp\n\t" + "addq $8, %r11\n\t" + "mov %r11, (%rsp)\n\t" +"# five argument swizzle\n\t" + "mov %rdi, %r10\n\t" + "mov %rcx, %rdi\n\t" + "mov %rdx, %rsi\n\t" + "mov %r8, %rdx\n\t" + "mov %r9, %rcx\n\t" + "mov %r10, %r8\n\t" + "callq security2_policy_authentication@PLT\n\t" + "mov (%rsp), %r11\n\t" + "addq %r11, %rsp\n\t" + "pop %rsi\n\t" + "pop %rdi\n\t" + "ret\n" +); + +asm ( +".type security_policy_authentication,@function\n" +"thunk_security_policy_authentication:\n\t" + "push %rdi\n\t" + "push %rsi\n\t" + "subq $8, %rsp # space for storing stack pad\n\t" + "mov $0x08, %rax\n\t" + "mov $0x10, %r10\n\t" + "and %rsp, %rax\n\t" + "cmovnz %rax, %r11\n\t" + "cmovz %r10, %r11\n\t" + "subq %r11, %rsp\n\t" + "addq $8, %r11\n\t" + "mov %r11, (%rsp)\n\t" +"# three argument swizzle\n\t" + "mov %rcx, %rdi\n\t" + "mov %rdx, %rsi\n\t" + "mov %r8, %rdx\n\t" + "callq security_policy_authentication@PLT\n\t" + "mov (%rsp), %r11\n\t" + "addq %r11, %rsp\n\t" + "pop %rsi\n\t" + "pop %rdi\n\t" + "ret\n" +); + +EFI_STATUS +security_policy_install(void) +{ + EFI_SECURITY_PROTOCOL *security_protocol; + EFI_SECURITY2_PROTOCOL *security2_protocol = NULL; + EFI_STATUS status; + + if (esfas) + /* Already Installed */ + return EFI_ALREADY_STARTED; + + /* Don't bother with status here. The call is allowed + * to fail, since SECURITY2 was introduced in PI 1.2.1 + * If it fails, use security2_protocol == NULL as indicator */ + uefi_call_wrapper(BS->LocateProtocol, 3, + &SECURITY2_PROTOCOL_GUID, NULL, + &security2_protocol); + + status = uefi_call_wrapper(BS->LocateProtocol, 3, + &SECURITY_PROTOCOL_GUID, NULL, + &security_protocol); + if (status != EFI_SUCCESS) + /* This one is mandatory, so there's a serious problem */ + return status; + + if (security2_protocol) { + es2fa = security2_protocol->FileAuthentication; + security2_protocol->FileAuthentication = + thunk_security2_policy_authentication; + } + + esfas = security_protocol->FileAuthenticationState; + security_protocol->FileAuthenticationState = + thunk_security_policy_authentication; + + return EFI_SUCCESS; +} + +EFI_STATUS +security_policy_uninstall(void) +{ + EFI_STATUS status; + + if (esfas) { + EFI_SECURITY_PROTOCOL *security_protocol; + + status = uefi_call_wrapper(BS->LocateProtocol, 3, + &SECURITY_PROTOCOL_GUID, NULL, + &security_protocol); + + if (status != EFI_SUCCESS) + return status; + + security_protocol->FileAuthenticationState = esfas; + esfas = NULL; + } else { + /* nothing installed */ + return EFI_NOT_STARTED; + } + + if (es2fa) { + EFI_SECURITY2_PROTOCOL *security2_protocol; + + status = uefi_call_wrapper(BS->LocateProtocol, 3, + &SECURITY2_PROTOCOL_GUID, NULL, + &security2_protocol); + + if (status != EFI_SUCCESS) + return status; + + security2_protocol->FileAuthentication = es2fa; + es2fa = NULL; + } + + return EFI_SUCCESS; +} + +void +security_protocol_set_hashes(unsigned char *esl, int len) +{ + security_policy_esl = esl; + security_policy_esl_len = len; +} diff --git a/lib/shell.c b/lib/shell.c new file mode 100644 index 0000000..51de4e0 --- /dev/null +++ b/lib/shell.c @@ -0,0 +1,57 @@ +/* + * Copyright 2012 + * + * see COPYING file + * + * misc shell helper functions + */ +#include +#include + +#include + +EFI_STATUS +argsplit(EFI_HANDLE image, int *argc, CHAR16*** ARGV) +{ + int i, count = 1; + EFI_STATUS status; + EFI_LOADED_IMAGE *info; + CHAR16 *start; + + *argc = 0; + + status = uefi_call_wrapper(BS->HandleProtocol, 3, image, &LoadedImageProtocol, (VOID **) &info); + if (EFI_ERROR(status)) { + Print(L"Failed to get arguments\n"); + return status; + } + + for (i = 0; i < info->LoadOptionsSize; i += 2) { + CHAR16 *c = (CHAR16 *)(info->LoadOptions + i); + if (*c == L' ' && *(c+1) != '\0') { + (*argc)++; + } + } + + (*argc)++; /* we counted spaces, so add one for initial */ + + *ARGV = AllocatePool(*argc * sizeof(*ARGV)); + if (!*ARGV) { + return EFI_OUT_OF_RESOURCES; + } + (*ARGV)[0] = (CHAR16 *)info->LoadOptions; + for (i = 0; i < info->LoadOptionsSize; i += 2) { + CHAR16 *c = (CHAR16 *)(info->LoadOptions + i); + if (*c == L' ') { + *c = L'\0'; + if (*(c + 1) == '\0') + /* strip trailing space */ + break; + start = c + 1; + (*ARGV)[count++] = start; + } + } + + return EFI_SUCCESS; +} + diff --git a/lib/simple_file.c b/lib/simple_file.c new file mode 100644 index 0000000..0e5ecd2 --- /dev/null +++ b/lib/simple_file.c @@ -0,0 +1,501 @@ +/* + * Copyright 2012 + * + * see COPYING file + */ + +#include +#include + +#include +#include +#include +#include /* for generate_path() */ + +static EFI_GUID IMAGE_PROTOCOL = LOADED_IMAGE_PROTOCOL; +static EFI_GUID SIMPLE_FS_PROTOCOL = SIMPLE_FILE_SYSTEM_PROTOCOL; +static EFI_GUID FILE_INFO = EFI_FILE_INFO_ID; +static EFI_GUID FS_INFO = EFI_FILE_SYSTEM_INFO_ID; + +EFI_STATUS +simple_file_open_by_handle(EFI_HANDLE device, CHAR16 *name, EFI_FILE **file, UINT64 mode) +{ + EFI_STATUS efi_status; + EFI_FILE_IO_INTERFACE *drive; + EFI_FILE *root; + + efi_status = uefi_call_wrapper(BS->HandleProtocol, 3, device, + &SIMPLE_FS_PROTOCOL, &drive); + + if (efi_status != EFI_SUCCESS) { + Print(L"Unable to find simple file protocol (%d)\n", efi_status); + goto error; + } + + efi_status = uefi_call_wrapper(drive->OpenVolume, 2, drive, &root); + + if (efi_status != EFI_SUCCESS) { + Print(L"Failed to open drive volume (%d)\n", efi_status); + goto error; + } + + efi_status = uefi_call_wrapper(root->Open, 5, root, file, name, + mode, 0); + + error: + return efi_status; +} + +EFI_STATUS +simple_file_open(EFI_HANDLE image, CHAR16 *name, EFI_FILE **file, UINT64 mode) +{ + EFI_STATUS efi_status; + EFI_HANDLE device; + EFI_LOADED_IMAGE *li; + EFI_DEVICE_PATH *loadpath = NULL; + CHAR16 *PathName = NULL; + + efi_status = uefi_call_wrapper(BS->HandleProtocol, 3, image, + &IMAGE_PROTOCOL, &li); + + if (efi_status != EFI_SUCCESS) + return simple_file_open_by_handle(image, name, file, mode); + + efi_status = generate_path(name, li, &loadpath, &PathName); + + if (efi_status != EFI_SUCCESS) { + Print(L"Unable to generate load path for %s\n", name); + return efi_status; + } + + device = li->DeviceHandle; + + efi_status = simple_file_open_by_handle(device, PathName, file, mode); + + FreePool(PathName); + FreePool(loadpath); + + return efi_status; +} + +EFI_STATUS +simple_dir_read_all_by_handle(EFI_HANDLE image, EFI_FILE *file, CHAR16* name, EFI_FILE_INFO **entries, + int *count) +{ + EFI_STATUS status; + char buf[4096]; + UINTN size = sizeof(buf); + EFI_FILE_INFO *fi = (void *)buf; + + status = uefi_call_wrapper(file->GetInfo, 4, file, &FILE_INFO, + &size, fi); + if (status != EFI_SUCCESS) { + Print(L"Failed to get file info\n"); + goto out; + } + if ((fi->Attribute & EFI_FILE_DIRECTORY) == 0) { + Print(L"Not a directory %s\n", name); + status = EFI_INVALID_PARAMETER; + goto out; + } + size = 0; + *count = 0; + for (;;) { + UINTN len = sizeof(buf); + status = uefi_call_wrapper(file->Read, 3, file, &len, buf); + if (status != EFI_SUCCESS || len == 0) + break; + (*count)++; + size += len; + } + uefi_call_wrapper(file->SetPosition, 2, file, 0); + + char *ptr = AllocatePool(size); + *entries = (EFI_FILE_INFO *)ptr; + if (!*entries) + return EFI_OUT_OF_RESOURCES; + int i; + for (i = 0; i < *count; i++) { + int len = size; + uefi_call_wrapper(file->Read, 3, file, &len, ptr); + ptr += len; + size -= len; + } + status = EFI_SUCCESS; + out: + simple_file_close(file); + if (status != EFI_SUCCESS && *entries) { + FreePool(*entries); + *entries = NULL; + } + return status; +} + +EFI_STATUS +simple_dir_read_all(EFI_HANDLE image, CHAR16 *name, EFI_FILE_INFO **entries, + int *count) +{ + EFI_FILE *file; + EFI_STATUS status; + + status = simple_file_open(image, name, &file, EFI_FILE_MODE_READ); + if (status != EFI_SUCCESS) { + Print(L"failed to open file %s: %d\n", name, status); + return status; + } + + return simple_dir_read_all_by_handle(image, file, name, entries, count); +} + +EFI_STATUS +simple_file_read_all(EFI_FILE *file, UINTN *size, void **buffer) +{ + EFI_STATUS efi_status; + EFI_FILE_INFO *fi; + char buf[1024]; + + *size = sizeof(buf); + fi = (void *)buf; + + + efi_status = uefi_call_wrapper(file->GetInfo, 4, file, &FILE_INFO, + size, fi); + if (efi_status != EFI_SUCCESS) { + Print(L"Failed to get file info\n"); + return efi_status; + } + + *size = fi->FileSize; + + *buffer = AllocatePool(*size); + if (!*buffer) { + Print(L"Failed to allocate buffer of size %d\n", *size); + return EFI_OUT_OF_RESOURCES; + } + efi_status = uefi_call_wrapper(file->Read, 3, file, size, *buffer); + + return efi_status; +} + + +EFI_STATUS +simple_file_write_all(EFI_FILE *file, UINTN size, void *buffer) +{ + EFI_STATUS efi_status; + + efi_status = uefi_call_wrapper(file->Write, 3, file, &size, buffer); + + return efi_status; +} + +void +simple_file_close(EFI_FILE *file) +{ + uefi_call_wrapper(file->Close, 1, file); +} + +EFI_STATUS +simple_volume_selector(CHAR16 **title, CHAR16 **selected, EFI_HANDLE *h) +{ + UINTN count, i; + EFI_HANDLE *vol_handles = NULL; + EFI_STATUS status; + CHAR16 **entries; + int val; + + uefi_call_wrapper(BS->LocateHandleBuffer, 5, ByProtocol, + &SIMPLE_FS_PROTOCOL, NULL, &count, &vol_handles); + + if (!count || !vol_handles) + return EFI_NOT_FOUND; + + entries = AllocatePool(sizeof(CHAR16 *) * (count+1)); + if (!entries) + return EFI_OUT_OF_RESOURCES; + + for (i = 0; i < count; i++) { + char buf[4096]; + UINTN size = sizeof(buf); + EFI_FILE_SYSTEM_INFO *fi = (void *)buf; + EFI_FILE *root; + CHAR16 *name; + EFI_FILE_IO_INTERFACE *drive; + + status = uefi_call_wrapper(BS->HandleProtocol, 3, + vol_handles[i], + &SIMPLE_FS_PROTOCOL, &drive); + if (status != EFI_SUCCESS || !drive) + continue; + + status = uefi_call_wrapper(drive->OpenVolume, 2, drive, &root); + if (status != EFI_SUCCESS) + continue; + + status = uefi_call_wrapper(root->GetInfo, 4, root, &FS_INFO, + &size, fi); + if (status != EFI_SUCCESS) + continue; + + name = fi->VolumeLabel; + + if (!name || StrLen(name) == 0 || StrCmp(name, L" ") == 0) + name = DevicePathToStr(DevicePathFromHandle(vol_handles[i])); + + entries[i] = AllocatePool((StrLen(name) + 2) * sizeof(CHAR16)); + if (!entries[i]) + break; + StrCpy(entries[i], name); + } + entries[i] = NULL; + + val = console_select(title, entries, 0); + + if (val >= 0) { + *selected = AllocatePool((StrLen(entries[val]) + 1) * sizeof(CHAR16)); + if (*selected) { + StrCpy(*selected , entries[val]); + } + *h = vol_handles[val]; + } else { + *selected = NULL; + *h = 0; + } + + for (i = 0; i < count; i++) { + if (entries[i]) + FreePool(entries[i]); + } + FreePool(entries); + FreePool(vol_handles); + + + return EFI_SUCCESS; +} + +EFI_STATUS +simple_dir_filter(EFI_HANDLE image, CHAR16 *name, CHAR16 *filter, + CHAR16 ***result, int *count, EFI_FILE_INFO **entries) +{ + EFI_STATUS status; + int tot, offs = StrLen(filter), i, c, filtercount = 1; + EFI_FILE_INFO *next; + void *ptr; + CHAR16 *newfilter = AllocatePool((StrLen(filter) + 1) * sizeof(CHAR16)), + **filterarr; + + if (!newfilter) + return EFI_OUT_OF_RESOURCES; + + /* just in case efi ever stops writeable strings */ + StrCpy(newfilter, filter); + + for (i = 0; i < offs; i++) { + if (filter[i] == '|') + filtercount++; + } + filterarr = AllocatePool(filtercount * sizeof(void *)); + if (!filterarr) + return EFI_OUT_OF_RESOURCES; + c = 0; + filterarr[c++] = newfilter; + for (i = 0; i < offs; i++) { + if (filter[i] == '|') { + newfilter[i] = '\0'; + filterarr[c++] = &newfilter[i+1]; + } + } + + *count = 0; + + status = simple_dir_read_all(image, name, entries, &tot); + + if (status != EFI_SUCCESS) + goto out; + ptr = next = *entries; + + for (i = 0; i < tot; i++) { + int len = StrLen(next->FileName); + + for (c = 0; c < filtercount; c++) { + offs = StrLen(filterarr[c]); + + if (StrCmp(&next->FileName[len - offs], filterarr[c]) == 0 + || (next->Attribute & EFI_FILE_DIRECTORY)) { + (*count)++; + break; + } + } + ptr += OFFSET_OF(EFI_FILE_INFO, FileName) + (len + 1)*sizeof(CHAR16); + next = ptr; + } + if (*count) + *result = AllocatePool(((*count) + 1) * sizeof(void *)); + else + *result = AllocatePool(2 * sizeof(void *)); + + *count = 0; + ptr = next = *entries; + + for (i = 0; i < tot; i++) { + int len = StrLen(next->FileName); + + if (StrCmp(next->FileName, L".") == 0) + /* ignore . directory */ + goto next; + + if (next->Attribute & EFI_FILE_DIRECTORY) { + (*result)[(*count)] = next->FileName; + (*result)[(*count)][len] = '/'; + (*result)[(*count)++][len + 1] = '\0'; + goto next; + } + + for (c = 0; c < filtercount; c++) { + offs = StrLen(filterarr[c]); + + if (StrCmp(&next->FileName[len - offs], filterarr[c]) == 0) { + (*result)[(*count)++] = next->FileName; + } else { + continue; + } + break; + } + + next: + if (StrCmp(next->FileName, L"../") == 0) { + /* place .. directory first */ + CHAR16 *tmp = (*result)[(*count) - 1]; + + (*result)[(*count) - 1] = (*result)[0]; + (*result)[0] = tmp; + } + + ptr += OFFSET_OF(EFI_FILE_INFO, FileName) + (len + 1)*sizeof(CHAR16); + next = ptr; + } + if (*count == 0) { + /* no entries at all ... can happen because top level dir has no . or .. */ + (*result)[(*count)++] = L"./"; + } + (*result)[*count] = NULL; + status = EFI_SUCCESS; + + out: + if (status != EFI_SUCCESS) { + if (*entries) + FreePool(*entries); + *entries = NULL; + if (*result) + FreePool(*result); + *result = NULL; + } + return status; +} + +void +simple_file_selector(EFI_HANDLE *im, CHAR16 **title, CHAR16 *name, + CHAR16 *filter, CHAR16 **result) +{ + EFI_STATUS status; + CHAR16 **entries; + EFI_FILE_INFO *dmp; + int count, select, len; + CHAR16 *newname, *selected; + + *result = NULL; + if (!name) + name = L"\\"; + if (!filter) + filter = L""; + if (!*im) { + EFI_HANDLE h; + CHAR16 *volname; + + simple_volume_selector(title, &volname, &h); + if (!volname) + return; + FreePool(volname); + *im = h; + } + + newname = AllocatePool((StrLen(name) + 1)*sizeof(CHAR16)); + if (!newname) + return; + + StrCpy(newname, name); + name = newname; + + redo: + status = simple_dir_filter(*im, name, filter, &entries, &count, &dmp); + + if (status != EFI_SUCCESS) + goto out_free_name; + + select = console_select(title, entries, 0); + if (select < 0) + /* ESC key */ + goto out_free; + selected = entries[select]; + FreePool(entries); + entries = NULL; + /* note that memory used by selected is valid until dmp is freed */ + len = StrLen(selected); + if (selected[len - 1] == '/') { + CHAR16 *newname; + + /* stay where we are */ + if (StrCmp(selected, L"./") == 0) { + FreePool(dmp); + goto redo; + } else if (StrCmp(selected, L"../") == 0) { + int i; + + i = StrLen(name) - 1; + + + for (i = StrLen(name); i > 0; --i) { + if (name[i] == '\\') + break; + } + if (i == 0) + i = 1; + + if (StrCmp(name, L"\\") != 0 + && StrCmp(&name[i], L"..") != 0) { + name[i] = '\0'; + FreePool(dmp); + goto redo; + } + } + newname = AllocatePool((StrLen(name) + len + 2)*sizeof(CHAR16)); + if (!newname) + goto out_free; + StrCpy(newname, name); + + if (name[StrLen(name) - 1] != '\\') + StrCat(newname, L"\\"); + StrCat(newname, selected); + /* remove trailing / */ + newname[StrLen(newname) - 1] = '\0'; + + FreePool(dmp); + FreePool(name); + name = newname; + + goto redo; + } + *result = AllocatePool((StrLen(name) + len + 2)*sizeof(CHAR16)); + if (*result) { + StrCpy(*result, name); + if (name[StrLen(name) - 1] != '\\') + StrCat(*result, L"\\"); + StrCat(*result, selected); + } + + out_free: + FreePool(dmp); + if (entries) + FreePool(entries); + out_free_name: + FreePool(name); +} diff --git a/lib/variables.c b/lib/variables.c new file mode 100644 index 0000000..9db6480 --- /dev/null +++ b/lib/variables.c @@ -0,0 +1,340 @@ +/* + * Copyright 2012 + * + * see COPYING file + * + * Portions of this file are a direct cut and paste from Tianocore + * (http://tianocore.sf.net) + * + * SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c + * + * Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.
+ * This program and the accompanying materials + * are licensed and made available under the terms and conditions of the BSD License + * which accompanies this distribution. The full text of the license may be found + * at + * http://opensource.org/licenses/bsd-license.php + * + * THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, + * WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + * + */ +#include +#include + +#include + +#include +#include +#include +#include +#include + +EFI_STATUS +variable_create_esl(void *cert, int cert_len, EFI_GUID *type, EFI_GUID *owner, + void **out, int *outlen) +{ + *outlen = cert_len + sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID); + + *out = AllocateZeroPool(*outlen); + if (!*out) + return EFI_OUT_OF_RESOURCES; + + EFI_SIGNATURE_LIST *sl = *out; + + sl->SignatureHeaderSize = 0; + sl->SignatureType = *type; + sl->SignatureSize = cert_len + sizeof(EFI_GUID); + sl->SignatureListSize = *outlen; + + EFI_SIGNATURE_DATA *sd = *out + sizeof(EFI_SIGNATURE_LIST); + + if (owner) + sd->SignatureOwner = *owner; + + CopyMem(sd->SignatureData, cert, cert_len); + + return EFI_SUCCESS; +} + + +EFI_STATUS +CreateTimeBasedPayload ( + IN OUT UINTN *DataSize, + IN OUT UINT8 **Data + ) +{ + EFI_STATUS Status; + UINT8 *NewData; + UINT8 *Payload; + UINTN PayloadSize; + EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData; + UINTN DescriptorSize; + EFI_TIME Time; + EFI_GUID efi_cert_type = EFI_CERT_TYPE_PKCS7_GUID; + + if (Data == NULL || DataSize == NULL) { + return EFI_INVALID_PARAMETER; + } + + // + // In Setup mode or Custom mode, the variable does not need to be signed but the + // parameters to the SetVariable() call still need to be prepared as authenticated + // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate + // data in it. + // + Payload = *Data; + PayloadSize = *DataSize; + + DescriptorSize = OFFSET_OF(EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData); + NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize); + if (NewData == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + if ((Payload != NULL) && (PayloadSize != 0)) { + CopyMem (NewData + DescriptorSize, Payload, PayloadSize); + } + + DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData); + + ZeroMem (&Time, sizeof (EFI_TIME)); + Status = uefi_call_wrapper(RT->GetTime,2, &Time, NULL); + if (EFI_ERROR (Status)) { + FreePool(NewData); + return Status; + } + Time.Pad1 = 0; + Time.Nanosecond = 0; + Time.TimeZone = 0; + Time.Daylight = 0; + Time.Pad2 = 0; + CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME)); + + DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); + DescriptorData->AuthInfo.Hdr.wRevision = 0x0200; + DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID; + DescriptorData->AuthInfo.CertType = efi_cert_type; + + /* we're expecting an EFI signature list, so don't free the input since + * it might not be in a pool */ +#if 0 + if (Payload != NULL) { + FreePool(Payload); + } +#endif + + *DataSize = DescriptorSize + PayloadSize; + *Data = NewData; + return EFI_SUCCESS; +} + +EFI_STATUS +SetSecureVariable(CHAR16 *var, UINT8 *Data, UINTN len, EFI_GUID owner, + UINT32 options, int createtimebased) +{ + EFI_SIGNATURE_LIST *Cert; + UINTN DataSize; + EFI_STATUS efi_status; + + /* Microsoft request: Bugs in some UEFI platforms mean that PK or any + * other secure variable can be updated or deleted programmatically, + * so prevent */ + if (!variable_is_setupmode()) + return EFI_SECURITY_VIOLATION; + + if (createtimebased) { + int ds; + efi_status = variable_create_esl(Data, len, &X509_GUID, NULL, + (void **)&Cert, &ds); + if (efi_status != EFI_SUCCESS) { + Print(L"Failed to create %s certificate %d\n", var, efi_status); + return efi_status; + } + + DataSize = ds; + } else { + /* we expect an efi signature list rather than creating it */ + Cert = (EFI_SIGNATURE_LIST *)Data; + DataSize = len; + } + efi_status = CreateTimeBasedPayload(&DataSize, (UINT8 **)&Cert); + if (efi_status != EFI_SUCCESS) { + Print(L"Failed to create time based payload %d\n", efi_status); + return efi_status; + } + + efi_status = uefi_call_wrapper(RT->SetVariable, 5, var, &owner, + EFI_VARIABLE_NON_VOLATILE + | EFI_VARIABLE_RUNTIME_ACCESS + | EFI_VARIABLE_BOOTSERVICE_ACCESS + | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS + | options, + DataSize, Cert); + + return efi_status; +} + +UINT64 +GetOSIndications(void) +{ + UINT64 indications; + UINTN DataSize = sizeof(indications); + EFI_STATUS efi_status; + + efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"OsIndicationsSupported", &GV_GUID, NULL, &DataSize, &indications); + if (efi_status != EFI_SUCCESS) + return 0; + + return indications; +} + +EFI_STATUS +SETOSIndicationsAndReboot(UINT64 indications) +{ + UINTN DataSize = sizeof(indications); + EFI_STATUS efi_status; + + efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"OsIndications", + &GV_GUID, + EFI_VARIABLE_NON_VOLATILE + | EFI_VARIABLE_RUNTIME_ACCESS + | EFI_VARIABLE_BOOTSERVICE_ACCESS, + DataSize, &indications); + + if (efi_status != EFI_SUCCESS) + return efi_status; + + uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, EFI_SUCCESS, 0, NULL); + /* does not return */ + + return EFI_SUCCESS; +} + +EFI_STATUS +get_variable_attr(CHAR16 *var, UINT8 **data, UINTN *len, EFI_GUID owner, + UINT32 *attributes) +{ + EFI_STATUS efi_status; + + *len = 0; + + efi_status = uefi_call_wrapper(RT->GetVariable, 5, var, &owner, + NULL, len, NULL); + if (efi_status != EFI_BUFFER_TOO_SMALL) + return efi_status; + + *data = AllocateZeroPool(*len); + if (!data) + return EFI_OUT_OF_RESOURCES; + + efi_status = uefi_call_wrapper(RT->GetVariable, 5, var, &owner, + attributes, len, *data); + + if (efi_status != EFI_SUCCESS) { + FreePool(*data); + *data = NULL; + } + return efi_status; +} + +EFI_STATUS +get_variable(CHAR16 *var, UINT8 **data, UINTN *len, EFI_GUID owner) +{ + return get_variable_attr(var, data, len, owner, NULL); +} + +EFI_STATUS +find_in_esl(UINT8 *Data, UINTN DataSize, UINT8 *key, UINTN keylen) +{ + EFI_SIGNATURE_LIST *CertList; + + certlist_for_each_certentry(CertList, Data, DataSize, DataSize) { + if (CertList->SignatureSize != keylen + sizeof(EFI_GUID)) + continue; + EFI_SIGNATURE_DATA *Cert; + + certentry_for_each_cert(Cert, CertList) + if (CompareMem (Cert->SignatureData, key, keylen) == 0) + return EFI_SUCCESS; + } + return EFI_NOT_FOUND; +} + +EFI_STATUS +find_in_variable_esl(CHAR16* var, EFI_GUID owner, UINT8 *key, UINTN keylen) +{ + UINTN DataSize; + UINT8 *Data; + EFI_STATUS status; + + status = get_variable(var, &Data, &DataSize, owner); + if (status != EFI_SUCCESS) + return status; + + status = find_in_esl(Data, DataSize, key, keylen); + + FreePool(Data); + + return status; +} + +int +variable_is_setupmode(void) +{ + /* set to 1 because we return true if SetupMode doesn't exist */ + UINT8 SetupMode = 1; + UINTN DataSize = sizeof(SetupMode); + + uefi_call_wrapper(RT->GetVariable, 5, L"SetupMode", &GV_GUID, NULL, + &DataSize, &SetupMode); + + return SetupMode; +} + +int +variable_is_secureboot(void) +{ + /* return false if variable doesn't exist */ + UINT8 SecureBoot = 0; + UINTN DataSize; + + DataSize = sizeof(SecureBoot); + uefi_call_wrapper(RT->GetVariable, 5, L"SecureBoot", &GV_GUID, NULL, + &DataSize, &SecureBoot); + + return SecureBoot; +} + +EFI_STATUS +variable_enroll_hash(CHAR16 *var, EFI_GUID owner, + UINT8 hash[SHA256_DIGEST_SIZE]) +{ + EFI_STATUS status; + + if (find_in_variable_esl(var, owner, hash, SHA256_DIGEST_SIZE) + == EFI_SUCCESS) + /* hash already present */ + return EFI_ALREADY_STARTED; + + UINT8 sig[sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + SHA256_DIGEST_SIZE]; + EFI_SIGNATURE_LIST *l = (void *)sig; + EFI_SIGNATURE_DATA *d = (void *)sig + sizeof(EFI_SIGNATURE_LIST); + SetMem(sig, 0, sizeof(sig)); + l->SignatureType = EFI_CERT_SHA256_GUID; + l->SignatureListSize = sizeof(sig); + l->SignatureSize = 16 +32; /* UEFI defined */ + CopyMem(&d->SignatureData, hash, SHA256_DIGEST_SIZE); + d->SignatureOwner = MOK_OWNER; + + if (CompareGuid(&owner, &SIG_DB) == 0) + status = SetSecureVariable(var, sig, sizeof(sig), owner, + EFI_VARIABLE_APPEND_WRITE, 0); + else + status = uefi_call_wrapper(RT->SetVariable, 5, var, &owner, + EFI_VARIABLE_NON_VOLATILE + | EFI_VARIABLE_BOOTSERVICE_ACCESS + | EFI_VARIABLE_APPEND_WRITE, + sizeof(sig), sig); + return status; +} From b1a00240ab3d7cb4e20fbc020e09c7b17972f479 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 26 Sep 2013 11:58:01 -0400 Subject: [PATCH 021/163] simple_file: Allocate buffers for file entries The dir filter appends L'/' to the directory entries without allocating a new buffer, and this could crash the whole program. --- lib/simple_file.c | 42 ++++++++++++++++++++++++++++++++++-------- 1 file changed, 34 insertions(+), 8 deletions(-) diff --git a/lib/simple_file.c b/lib/simple_file.c index 0e5ecd2..e288272 100644 --- a/lib/simple_file.c +++ b/lib/simple_file.c @@ -344,9 +344,12 @@ simple_dir_filter(EFI_HANDLE image, CHAR16 *name, CHAR16 *filter, goto next; if (next->Attribute & EFI_FILE_DIRECTORY) { - (*result)[(*count)] = next->FileName; - (*result)[(*count)][len] = '/'; - (*result)[(*count)++][len + 1] = '\0'; + (*result)[(*count)] = PoolPrint(L"%s/", next->FileName); + if (!(*result)[(*count)]) { + Print(L"Failed to allocate buffer"); + return EFI_OUT_OF_RESOURCES; + } + (*count)++; goto next; } @@ -354,7 +357,12 @@ simple_dir_filter(EFI_HANDLE image, CHAR16 *name, CHAR16 *filter, offs = StrLen(filterarr[c]); if (StrCmp(&next->FileName[len - offs], filterarr[c]) == 0) { - (*result)[(*count)++] = next->FileName; + (*result)[(*count)] = StrDuplicate(next->FileName); + if (!(*result)[(*count)]) { + Print(L"Failed to allocate buffer"); + return EFI_OUT_OF_RESOURCES; + } + (*count)++; } else { continue; } @@ -362,7 +370,7 @@ simple_dir_filter(EFI_HANDLE image, CHAR16 *name, CHAR16 *filter, } next: - if (StrCmp(next->FileName, L"../") == 0) { + if (StrCmp(next->FileName, L"..") == 0) { /* place .. directory first */ CHAR16 *tmp = (*result)[(*count) - 1]; @@ -392,6 +400,15 @@ simple_dir_filter(EFI_HANDLE image, CHAR16 *name, CHAR16 *filter, return status; } +static void +free_entries(CHAR16 **entries, int count) +{ + int i; + + for (i = 0; i Date: Thu, 26 Sep 2013 11:58:01 -0400 Subject: [PATCH 022/163] Clean lib/, too --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index a64b4ac..134d729 100644 --- a/Makefile +++ b/Makefile @@ -109,6 +109,7 @@ lib/lib.a: clean: $(MAKE) -C Cryptlib clean $(MAKE) -C Cryptlib/OpenSSL clean + $(MAKE) -C lib clean rm -rf $(TARGET) $(OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb rm -f *.debug *.so *.efi From 5e9fee215828a1a3832014f8898d8796239b63a1 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 26 Sep 2013 11:58:01 -0400 Subject: [PATCH 023/163] Make EFI_PATH easily resettable from the build command line. Signed-off-by: Peter Jones --- Makefile | 4 ++-- lib/Makefile | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 134d729..868fb95 100644 --- a/Makefile +++ b/Makefile @@ -6,7 +6,7 @@ LIB_PATH = /usr/lib64 EFI_INCLUDE = /usr/include/efi EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -EFI_PATH = /usr/lib64/gnuefi +EFI_PATH := /usr/lib64/gnuefi LIB_GCC = $(shell $(CC) -print-libgcc-file-name) EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC) @@ -88,7 +88,7 @@ Cryptlib/OpenSSL/libopenssl.a: $(MAKE) -C Cryptlib/OpenSSL lib/lib.a: - $(MAKE) -C lib + $(MAKE) -C lib EFI_PATH=$(EFI_PATH) %.efi: %.so objcopy -j .text -j .sdata -j .data \ diff --git a/lib/Makefile b/lib/Makefile index be5f354..4390700 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -6,7 +6,6 @@ ARCH = $(shell uname -m | sed s,i[3456789]86,ia32,) EFI_INCLUDE = /usr/include/efi EFI_INCLUDES = -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -I../include -EFI_PATH = /usr/lib64/gnuefi EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds From 3a838b14f0ea62da113ea0090e057713b0352aee Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 26 Sep 2013 11:58:01 -0400 Subject: [PATCH 024/163] MokManager: support crypt() password hash The password format is introduced for the password hash generated by crypt(), so that the user can import the password hash from /etc/shadow. The packager, especially those who packages 3rd party drivers, can utilize this feature to import a 3rd party certificate without interfering the package installation. This commit implements the sha256-based crypt() hash function. Conflicts: Makefile MokManager.c --- Makefile | 6 +- MokManager.c | 153 +++++++++++++++++++++++++++++++++++------------- PasswordCrypt.c | 124 +++++++++++++++++++++++++++++++++++++++ PasswordCrypt.h | 26 ++++++++ 4 files changed, 265 insertions(+), 44 deletions(-) create mode 100644 PasswordCrypt.c create mode 100644 PasswordCrypt.h diff --git a/Makefile b/Makefile index 868fb95..0a7efd5 100644 --- a/Makefile +++ b/Makefile @@ -36,8 +36,8 @@ TARGET = shim.efi MokManager.efi.signed fallback.efi.signed OBJS = shim.o netboot.o cert.o dbx.o KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key SOURCES = shim.c shim.h netboot.c signature.h PeImage.h -MOK_OBJS = MokManager.o -MOK_SOURCES = MokManager.c shim.h console_control.h +MOK_OBJS = MokManager.o PasswordCrypt.o +MOK_SOURCES = MokManager.c shim.h console_control.h PasswordCrypt.c PasswordCrypt.h FALLBACK_OBJS = fallback.o FALLBACK_SRCS = fallback.c @@ -76,7 +76,7 @@ fallback.o: $(FALLBACK_SRCS) fallback.so: $(FALLBACK_OBJS) $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) -MokManager.o: $(SOURCES) +MokManager.o: $(MOK_SOURCES) MokManager.so: $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a diff --git a/MokManager.c b/MokManager.c index c254fdc..66e33ce 100644 --- a/MokManager.c +++ b/MokManager.c @@ -2,17 +2,18 @@ #include #include #include +#include "console_control.h" #include "shim.h" #include "signature.h" #include "PeImage.h" -#include "console_control.h" +#include "PasswordCrypt.h" #include "include/console.h" #include "include/simple_file.h" -#define PASSWORD_MAX 16 -#define PASSWORD_MIN 8 -#define SB_PASSWORD_LEN 8 +#define PASSWORD_MAX 256 +#define PASSWORD_MIN 1 +#define SB_PASSWORD_LEN 16 #ifndef SHIM_VENDOR #define SHIM_VENDOR L"Shim" @@ -43,7 +44,7 @@ typedef struct { typedef struct { UINT32 MokSBState; UINT32 PWLen; - CHAR16 Password[PASSWORD_MAX]; + CHAR16 Password[SB_PASSWORD_LEN]; } __attribute__ ((packed)) MokSBvar; static EFI_STATUS get_variable (CHAR16 *name, EFI_GUID guid, UINT32 *attributes, @@ -586,8 +587,8 @@ static UINT8 get_line (UINT32 *length, CHAR16 *line, UINT32 line_max, UINT8 show return 1; } -static EFI_STATUS compute_pw_hash (void *MokNew, UINTN MokNewSize, CHAR16 *password, - UINT32 pw_length, UINT8 *hash) +static EFI_STATUS compute_pw_hash (void *Data, UINTN DataSize, UINT8 *password, + UINT32 pw_length, UINT8 *hash) { EFI_STATUS status; unsigned int ctxsize; @@ -607,15 +608,15 @@ static EFI_STATUS compute_pw_hash (void *MokNew, UINTN MokNewSize, CHAR16 *passw goto done; } - if (MokNew && MokNewSize) { - if (!(Sha256Update(ctx, MokNew, MokNewSize))) { + if (Data && DataSize) { + if (!(Sha256Update(ctx, Data, DataSize))) { console_notify(L"Unable to generate hash"); status = EFI_OUT_OF_RESOURCES; goto done; } } - if (!(Sha256Update(ctx, password, pw_length * sizeof(CHAR16)))) { + if (!(Sha256Update(ctx, password, pw_length))) { console_notify(L"Unable to generate hash"); status = EFI_OUT_OF_RESOURCES; goto done; @@ -632,15 +633,34 @@ done: return status; } -static EFI_STATUS match_password (void *Data, UINTN DataSize, - UINT8 auth[SHA256_DIGEST_SIZE], - CHAR16 *prompt) +static EFI_STATUS match_password (PASSWORD_CRYPT *pw_crypt, + void *Data, UINTN DataSize, + UINT8 *auth, CHAR16 *prompt) { - EFI_STATUS efi_status; + EFI_STATUS status; UINT8 hash[SHA256_DIGEST_SIZE]; + UINT8 *auth_hash; + UINT32 auth_size; CHAR16 password[PASSWORD_MAX]; UINT32 pw_length; UINT8 fail_count = 0; + int i; + + if (pw_crypt) { + /* + * Only support sha256 now + */ + if(pw_crypt->method != SHA256_BASED) + return EFI_INVALID_PARAMETER; + auth_hash = pw_crypt->hash; + /* FIXME assign auth_size according to pw_crypt->method */ + auth_size = SHA256_DIGEST_SIZE; + } else if (auth) { + auth_hash = auth; + auth_size = SHA256_DIGEST_SIZE; + } else { + return EFI_INVALID_PARAMETER; + } while (fail_count < 3) { if (prompt) { @@ -656,16 +676,30 @@ static EFI_STATUS match_password (void *Data, UINTN DataSize, continue; } - efi_status = compute_pw_hash(Data, DataSize, password, - pw_length, hash); + /* + * Compute password hash + */ + if (pw_crypt) { + char pw_ascii[PASSWORD_MAX + 1]; + for (i = 0; i < pw_length; i++) + pw_ascii[i] = (char)password[i]; + pw_ascii[pw_length] = '\0'; - if (efi_status != EFI_SUCCESS) { + status = password_crypt(pw_ascii, pw_length, pw_crypt, hash); + } else { + /* + * For backward compatibility + */ + status = compute_pw_hash(Data, DataSize, (UINT8 *)password, + pw_length * sizeof(CHAR16), hash); + } + if (status != EFI_SUCCESS) { Print(L"Unable to generate password hash\n"); fail_count++; continue; } - if (CompareMem(auth, hash, SHA256_DIGEST_SIZE) != 0) { + if (CompareMem(auth_hash, hash, auth_size) != 0) { Print(L"Password doesn't match\n"); fail_count++; continue; @@ -684,23 +718,29 @@ static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; - UINT8 auth[SHA256_DIGEST_SIZE]; - UINTN auth_size; + UINT8 auth[PASSWORD_CRYPT_SIZE]; + UINTN auth_size = PASSWORD_CRYPT_SIZE; UINT32 attributes; if (authenticate) { - auth_size = SHA256_DIGEST_SIZE; efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokAuth", &shim_lock_guid, &attributes, &auth_size, auth); - - if (efi_status != EFI_SUCCESS || auth_size != SHA256_DIGEST_SIZE) { + if (efi_status != EFI_SUCCESS || + (auth_size != SHA256_DIGEST_SIZE && + auth_size != PASSWORD_CRYPT_SIZE)) { console_error(L"Failed to get MokAuth", efi_status); return efi_status; } - efi_status = match_password(MokNew, MokNewSize, auth, NULL); + if (auth_size == PASSWORD_CRYPT_SIZE) { + efi_status = match_password((PASSWORD_CRYPT *)auth, + NULL, 0, NULL, NULL); + } else { + efi_status = match_password(NULL, MokNew, MokNewSize, + auth, NULL); + } if (efi_status != EFI_SUCCESS) return EFI_ACCESS_DENIED; } @@ -854,8 +894,8 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; - UINT8 auth[SHA256_DIGEST_SIZE]; - UINTN auth_size = SHA256_DIGEST_SIZE; + UINT8 auth[PASSWORD_CRYPT_SIZE]; + UINTN auth_size = PASSWORD_CRYPT_SIZE; UINT32 attributes; void *MokListData = NULL; UINTN MokListDataSize = 0; @@ -867,12 +907,18 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize) &shim_lock_guid, &attributes, &auth_size, auth); - if (efi_status != EFI_SUCCESS || auth_size != SHA256_DIGEST_SIZE) { + if (efi_status != EFI_SUCCESS || + (auth_size != SHA256_DIGEST_SIZE && auth_size != PASSWORD_CRYPT_SIZE)) { console_error(L"Failed to get MokDelAuth", efi_status); return efi_status; } - efi_status = match_password(MokDel, MokDelSize, auth, NULL); + if (auth_size == PASSWORD_CRYPT_SIZE) { + efi_status = match_password((PASSWORD_CRYPT *)auth, NULL, 0, + NULL, NULL); + } else { + efi_status = match_password(NULL, MokDel, MokDelSize, auth, NULL); + } if (efi_status != EFI_SUCCESS) return EFI_ACCESS_DENIED; @@ -1045,18 +1091,27 @@ static INTN mok_sb_prompt (void *MokSB, UINTN MokSBSize) { static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; - UINT8 hash[SHA256_DIGEST_SIZE]; + UINT8 hash[PASSWORD_CRYPT_SIZE]; + UINT8 clear = 0; - if (MokPWSize != SHA256_DIGEST_SIZE) { + if (MokPWSize != SHA256_DIGEST_SIZE && MokPWSize != PASSWORD_CRYPT_SIZE) { console_notify(L"Invalid MokPW variable contents"); return -1; } uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); - SetMem(hash, SHA256_DIGEST_SIZE, 0); + SetMem(hash, PASSWORD_CRYPT_SIZE, 0); - if (CompareMem(MokPW, hash, SHA256_DIGEST_SIZE) == 0) { + if (MokPWSize == PASSWORD_CRYPT_SIZE) { + if (CompareMem(MokPW, hash, PASSWORD_CRYPT_SIZE) == 0) + clear = 1; + } else { + if (CompareMem(MokPW, hash, SHA256_DIGEST_SIZE) == 0) + clear = 1; + } + + if (clear) { if (console_yes_no((CHAR16 *[]){L"Clear MOK password?", NULL}) == 0) return 0; @@ -1065,7 +1120,14 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) { return 0; } - efi_status = match_password(NULL, 0, MokPW, L"Confirm MOK passphrase: "); + if (MokPWSize == PASSWORD_CRYPT_SIZE) { + efi_status = match_password((PASSWORD_CRYPT *)MokPW, NULL, 0, + NULL, L"Confirm MOK passphrase: "); + } else { + efi_status = match_password(NULL, NULL, 0, MokPW, + L"Confirm MOK passphrase: "); + } + if (efi_status != EFI_SUCCESS) { console_notify(L"Password limit reached"); return -1; @@ -1280,8 +1342,8 @@ static BOOLEAN verify_pw(void) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; - UINT8 pwhash[SHA256_DIGEST_SIZE]; - UINTN size = SHA256_DIGEST_SIZE; + UINT8 pwhash[PASSWORD_CRYPT_SIZE]; + UINTN size = PASSWORD_CRYPT_SIZE; UINT32 attributes; efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokPWStore", @@ -1293,7 +1355,8 @@ static BOOLEAN verify_pw(void) * known value, so there's no safety advantage in failing to validate * purely because of a failure to read the variable */ - if (efi_status != EFI_SUCCESS) + if (efi_status != EFI_SUCCESS || + (size != SHA256_DIGEST_SIZE && size != PASSWORD_CRYPT_SIZE)) return TRUE; if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) @@ -1301,7 +1364,13 @@ static BOOLEAN verify_pw(void) uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); - efi_status = match_password(NULL, 0, pwhash, L"Enter MOK password: "); + if (size == PASSWORD_CRYPT_SIZE) { + efi_status = match_password((PASSWORD_CRYPT *)pwhash, NULL, 0, + NULL, L"Enter MOK password: "); + } else { + efi_status = match_password(NULL, NULL, 0, pwhash, + L"Enter MOK password: "); + } if (efi_status != EFI_SUCCESS) { console_notify(L"Password limit reached"); return FALSE; @@ -1335,8 +1404,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, UINTN menucount = 3, i = 0; EFI_STATUS efi_status; EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; - UINT8 auth[SHA256_DIGEST_SIZE]; - UINTN auth_size = SHA256_DIGEST_SIZE; + UINT8 auth[PASSWORD_CRYPT_SIZE]; + UINTN auth_size = PASSWORD_CRYPT_SIZE; UINT32 attributes; EFI_STATUS ret = EFI_SUCCESS; @@ -1347,14 +1416,16 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, &shim_lock_guid, &attributes, &auth_size, auth); - if ((efi_status == EFI_SUCCESS) && (auth_size == SHA256_DIGEST_SIZE)) + if ((efi_status == EFI_SUCCESS) && + (auth_size == SHA256_DIGEST_SIZE || auth_size == PASSWORD_CRYPT_SIZE)) MokAuth = 1; efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokDelAuth", &shim_lock_guid, &attributes, &auth_size, auth); - if ((efi_status == EFI_SUCCESS) && (auth_size == SHA256_DIGEST_SIZE)) + if ((efi_status == EFI_SUCCESS) && + (auth_size == SHA256_DIGEST_SIZE || auth_size == PASSWORD_CRYPT_SIZE)) MokDelAuth = 1; if (MokNew || MokAuth) diff --git a/PasswordCrypt.c b/PasswordCrypt.c new file mode 100644 index 0000000..bde23ed --- /dev/null +++ b/PasswordCrypt.c @@ -0,0 +1,124 @@ +#include +#include +#include +#include +#include "PasswordCrypt.h" + +static EFI_STATUS sha256_crypt (const char *key, UINT32 key_len, + const char *salt, UINT32 salt_size, + const UINT32 rounds, UINT8 *hash) +{ + SHA256_CTX ctx, alt_ctx; + UINT8 alt_result[SHA256_DIGEST_SIZE]; + UINT8 tmp_result[SHA256_DIGEST_SIZE]; + UINT8 *cp, *p_bytes, *s_bytes; + UINTN cnt; + + SHA256_Init(&ctx); + SHA256_Update(&ctx, key, key_len); + SHA256_Update(&ctx, salt, salt_size); + + SHA256_Init(&alt_ctx); + SHA256_Update(&alt_ctx, key, key_len); + SHA256_Update(&alt_ctx, salt, salt_size); + SHA256_Update(&alt_ctx, key, key_len); + SHA256_Final(alt_result, &alt_ctx); + + for (cnt = key_len; cnt > 32; cnt -= 32) + SHA256_Update(&ctx, alt_result, 32); + SHA256_Update(&ctx, alt_result, cnt); + + for (cnt = key_len; cnt > 0; cnt >>= 1) { + if ((cnt & 1) != 0) { + SHA256_Update(&ctx, alt_result, 32); + } else { + SHA256_Update(&ctx, key, key_len); + } + } + SHA256_Final(alt_result, &ctx); + + SHA256_Init(&alt_ctx); + for (cnt = 0; cnt < key_len; ++cnt) + SHA256_Update(&alt_ctx, key, key_len); + SHA256_Final(tmp_result, &alt_ctx); + + cp = p_bytes = AllocatePool(key_len); + for (cnt = key_len; cnt >= 32; cnt -= 32) { + CopyMem(cp, tmp_result, 32); + cp += 32; + } + CopyMem(cp, tmp_result, cnt); + + SHA256_Init(&alt_ctx); + for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt) + SHA256_Update(&alt_ctx, salt, salt_size); + SHA256_Final(tmp_result, &alt_ctx); + + cp = s_bytes = AllocatePool(salt_size); + for (cnt = salt_size; cnt >= 32; cnt -= 32) { + CopyMem(cp, tmp_result, 32); + cp += 32; + } + CopyMem(cp, tmp_result, cnt); + + for (cnt = 0; cnt < rounds; ++cnt) { + SHA256_Init(&ctx); + + if ((cnt & 1) != 0) + SHA256_Update(&ctx, p_bytes, key_len); + else + SHA256_Update(&ctx, alt_result, 32); + + if (cnt % 3 != 0) + SHA256_Update(&ctx, s_bytes, salt_size); + + if (cnt % 7 != 0) + SHA256_Update(&ctx, p_bytes, key_len); + + if ((cnt & 1) != 0) + SHA256_Update(&ctx, alt_result, 32); + else + SHA256_Update(&ctx, p_bytes, key_len); + + SHA256_Final(alt_result, &ctx); + } + + CopyMem(hash, alt_result, SHA256_DIGEST_SIZE); + + FreePool(p_bytes); + FreePool(s_bytes); + + return EFI_SUCCESS; +} + +EFI_STATUS password_crypt (const char *password, UINT32 pw_length, + const PASSWORD_CRYPT *pw_crypt, UINT8 *hash) +{ + EFI_STATUS status; + + if (!pw_crypt) + return EFI_INVALID_PARAMETER; + + switch (pw_crypt->method) { + case TRANDITIONAL_DES: + case EXTEND_BSDI_DES: + case MD5_BASED: + /* TODO unsupported */ + status = EFI_UNSUPPORTED; + break; + case SHA256_BASED: + status = sha256_crypt(password, pw_length, (char *)pw_crypt->salt, + pw_crypt->salt_size, pw_crypt->iter_count, + hash); + break; + case SHA512_BASED: + case BLOWFISH_BASED: + /* TODO unsupported */ + status = EFI_UNSUPPORTED; + break; + default: + return EFI_INVALID_PARAMETER; + } + + return status; +} diff --git a/PasswordCrypt.h b/PasswordCrypt.h new file mode 100644 index 0000000..c9e377a --- /dev/null +++ b/PasswordCrypt.h @@ -0,0 +1,26 @@ +#ifndef __PASSWORD_CRYPT_H__ +#define __PASSWORD_CRYPT_H__ + +enum HashMethod { + TRANDITIONAL_DES = 0, + EXTEND_BSDI_DES, + MD5_BASED, + SHA256_BASED, + SHA512_BASED, + BLOWFISH_BASED +}; + +typedef struct { + UINT16 method; + UINT64 iter_count; + UINT16 salt_size; + UINT8 salt[32]; + UINT8 hash[128]; +} __attribute__ ((packed)) PASSWORD_CRYPT; + +#define PASSWORD_CRYPT_SIZE sizeof(PASSWORD_CRYPT) + +EFI_STATUS password_crypt (const char *password, UINT32 pw_length, + const PASSWORD_CRYPT *pw_hash, UINT8 *hash); + +#endif /* __PASSWORD_CRYPT_H__ */ From 5a89835189b65ac053edc92246b5a9e74abeeea5 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 26 Sep 2013 11:58:01 -0400 Subject: [PATCH 025/163] MokManager: support SHA512-based crypt() hash --- Cryptlib/OpenSSL/Makefile | 2 +- MokManager.c | 12 ++-- PasswordCrypt.c | 114 ++++++++++++++++++++++++++++++++++++++ PasswordCrypt.h | 1 + 4 files changed, 120 insertions(+), 9 deletions(-) diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile index 1960b6b..f8ab841 100644 --- a/Cryptlib/OpenSSL/Makefile +++ b/Cryptlib/OpenSSL/Makefile @@ -10,7 +10,7 @@ LIB_GCC = $(shell $(CC) -print-libgcc-file-name) EFI_LIBS = -lefi -lgnuefi $(LIB_GCC) CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc -mno-mmx -mno-sse -mno-red-zone -maccumulate-outgoing-args \ - -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -DSIXTY_FOUR_BIT_LONG -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_SHA512 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC + -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -DSIXTY_FOUR_BIT_LONG -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC ifeq ($(ARCH),x86_64) CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI endif diff --git a/MokManager.c b/MokManager.c index 66e33ce..4cf836f 100644 --- a/MokManager.c +++ b/MokManager.c @@ -638,7 +638,7 @@ static EFI_STATUS match_password (PASSWORD_CRYPT *pw_crypt, UINT8 *auth, CHAR16 *prompt) { EFI_STATUS status; - UINT8 hash[SHA256_DIGEST_SIZE]; + UINT8 hash[128]; UINT8 *auth_hash; UINT32 auth_size; CHAR16 password[PASSWORD_MAX]; @@ -647,14 +647,10 @@ static EFI_STATUS match_password (PASSWORD_CRYPT *pw_crypt, int i; if (pw_crypt) { - /* - * Only support sha256 now - */ - if(pw_crypt->method != SHA256_BASED) - return EFI_INVALID_PARAMETER; auth_hash = pw_crypt->hash; - /* FIXME assign auth_size according to pw_crypt->method */ - auth_size = SHA256_DIGEST_SIZE; + auth_size = get_hash_size (pw_crypt->method); + if (auth_size == 0) + return EFI_INVALID_PARAMETER; } else if (auth) { auth_hash = auth; auth_size = SHA256_DIGEST_SIZE; diff --git a/PasswordCrypt.c b/PasswordCrypt.c index bde23ed..a62512e 100644 --- a/PasswordCrypt.c +++ b/PasswordCrypt.c @@ -2,8 +2,30 @@ #include #include #include +#include #include "PasswordCrypt.h" + +UINT16 get_hash_size (const UINT16 method) +{ + switch (method) { + case TRANDITIONAL_DES: + return 64 / 8; /* per "man crypt" */ + case EXTEND_BSDI_DES: + return 64 / 8; /* per "man crypt" */ + case MD5_BASED: + return MD5_DIGEST_LENGTH; + case SHA256_BASED: + return SHA256_DIGEST_LENGTH; + case SHA512_BASED: + return SHA512_DIGEST_LENGTH; + case BLOWFISH_BASED: + return 184 / 8; /* per "man crypt" */ + } + + return 0; +} + static EFI_STATUS sha256_crypt (const char *key, UINT32 key_len, const char *salt, UINT32 salt_size, const UINT32 rounds, UINT8 *hash) @@ -91,6 +113,94 @@ static EFI_STATUS sha256_crypt (const char *key, UINT32 key_len, return EFI_SUCCESS; } +static EFI_STATUS sha512_crypt (const char *key, UINT32 key_len, + const char *salt, UINT32 salt_size, + const UINT32 rounds, UINT8 *hash) +{ + SHA512_CTX ctx, alt_ctx; + UINT8 alt_result[SHA512_DIGEST_LENGTH]; + UINT8 tmp_result[SHA512_DIGEST_LENGTH]; + UINT8 *cp, *p_bytes, *s_bytes; + UINTN cnt; + + SHA512_Init(&ctx); + SHA512_Update(&ctx, key, key_len); + SHA512_Update(&ctx, salt, salt_size); + + SHA512_Init(&alt_ctx); + SHA512_Update(&alt_ctx, key, key_len); + SHA512_Update(&alt_ctx, salt, salt_size); + SHA512_Update(&alt_ctx, key, key_len); + + SHA512_Final(alt_result, &alt_ctx); + + for (cnt = key_len; cnt > 64; cnt -= 64) + SHA512_Update(&ctx, alt_result, 64); + SHA512_Update(&ctx, alt_result, cnt); + + for (cnt = key_len; cnt > 0; cnt >>= 1) { + if ((cnt & 1) != 0) { + SHA512_Update(&ctx, alt_result, 64); + } else { + SHA512_Update(&ctx, key, key_len); + } + } + SHA512_Final(alt_result, &ctx); + + SHA512_Init(&alt_ctx); + for (cnt = 0; cnt < key_len; ++cnt) + SHA512_Update(&alt_ctx, key, key_len); + SHA512_Final(tmp_result, &alt_ctx); + + cp = p_bytes = AllocatePool(key_len); + for (cnt = key_len; cnt >= 64; cnt -= 64) { + CopyMem(cp, tmp_result, 64); + cp += 64; + } + CopyMem(cp, tmp_result, cnt); + + SHA512_Init(&alt_ctx); + for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt) + SHA512_Update(&alt_ctx, salt, salt_size); + SHA512_Final(tmp_result, &alt_ctx); + + cp = s_bytes = AllocatePool(salt_size); + for (cnt = salt_size; cnt >= 64; cnt -= 64) { + CopyMem(cp, tmp_result, 64); + cp += 64; + } + CopyMem(cp, tmp_result, cnt); + + for (cnt = 0; cnt < rounds; ++cnt) { + SHA512_Init(&ctx); + + if ((cnt & 1) != 0) + SHA512_Update(&ctx, p_bytes, key_len); + else + SHA512_Update(&ctx, alt_result, 64); + + if (cnt % 3 != 0) + SHA512_Update(&ctx, s_bytes, salt_size); + + if (cnt % 7 != 0) + SHA512_Update(&ctx, p_bytes, key_len); + + if ((cnt & 1) != 0) + SHA512_Update(&ctx, alt_result, 64); + else + SHA512_Update(&ctx, p_bytes, key_len); + + SHA512_Final(alt_result, &ctx); + } + + CopyMem(hash, alt_result, SHA512_DIGEST_LENGTH); + + FreePool(p_bytes); + FreePool(s_bytes); + + return EFI_SUCCESS; +} + EFI_STATUS password_crypt (const char *password, UINT32 pw_length, const PASSWORD_CRYPT *pw_crypt, UINT8 *hash) { @@ -112,6 +222,10 @@ EFI_STATUS password_crypt (const char *password, UINT32 pw_length, hash); break; case SHA512_BASED: + status = sha512_crypt(password, pw_length, (char *)pw_crypt->salt, + pw_crypt->salt_size, pw_crypt->iter_count, + hash); + break; case BLOWFISH_BASED: /* TODO unsupported */ status = EFI_UNSUPPORTED; diff --git a/PasswordCrypt.h b/PasswordCrypt.h index c9e377a..144bf84 100644 --- a/PasswordCrypt.h +++ b/PasswordCrypt.h @@ -22,5 +22,6 @@ typedef struct { EFI_STATUS password_crypt (const char *password, UINT32 pw_length, const PASSWORD_CRYPT *pw_hash, UINT8 *hash); +UINT16 get_hash_size (const UINT16 method); #endif /* __PASSWORD_CRYPT_H__ */ From 114dad494c9bdbbc9d8a57f56c1751621b79b92a Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 26 Sep 2013 11:58:01 -0400 Subject: [PATCH 026/163] MokManager: support blowfish-based crypt() hash Conflicts: Makefile --- Makefile | 4 +- PasswordCrypt.c | 26 +- crypt_blowfish.c | 822 +++++++++++++++++++++++++++++++++++++++++++++++ crypt_blowfish.h | 22 ++ 4 files changed, 869 insertions(+), 5 deletions(-) create mode 100644 crypt_blowfish.c create mode 100644 crypt_blowfish.h diff --git a/Makefile b/Makefile index 0a7efd5..fc4f131 100644 --- a/Makefile +++ b/Makefile @@ -36,8 +36,8 @@ TARGET = shim.efi MokManager.efi.signed fallback.efi.signed OBJS = shim.o netboot.o cert.o dbx.o KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key SOURCES = shim.c shim.h netboot.c signature.h PeImage.h -MOK_OBJS = MokManager.o PasswordCrypt.o -MOK_SOURCES = MokManager.c shim.h console_control.h PasswordCrypt.c PasswordCrypt.h +MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o +MOK_SOURCES = MokManager.c shim.h console_control.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h FALLBACK_OBJS = fallback.o FALLBACK_SRCS = fallback.c diff --git a/PasswordCrypt.c b/PasswordCrypt.c index a62512e..38b980f 100644 --- a/PasswordCrypt.c +++ b/PasswordCrypt.c @@ -4,7 +4,9 @@ #include #include #include "PasswordCrypt.h" +#include "crypt_blowfish.h" +#define BLOWFISH_HASH_SIZE 31 /* 184/6+1 */ UINT16 get_hash_size (const UINT16 method) { @@ -20,7 +22,7 @@ UINT16 get_hash_size (const UINT16 method) case SHA512_BASED: return SHA512_DIGEST_LENGTH; case BLOWFISH_BASED: - return 184 / 8; /* per "man crypt" */ + return BLOWFISH_HASH_SIZE; } return 0; @@ -201,6 +203,21 @@ static EFI_STATUS sha512_crypt (const char *key, UINT32 key_len, return EFI_SUCCESS; } +#define BF_RESULT_SIZE (7 + 22 + 31 + 1) + +static EFI_STATUS blowfish_crypt (const char *key, const char *salt, UINT8 *hash) +{ + char *retval, result[BF_RESULT_SIZE]; + + retval = crypt_blowfish_rn (key, salt, result, BF_RESULT_SIZE); + if (!retval) + return EFI_UNSUPPORTED; + + CopyMem(hash, result + 7 + 22, BF_RESULT_SIZE); + + return EFI_SUCCESS; +} + EFI_STATUS password_crypt (const char *password, UINT32 pw_length, const PASSWORD_CRYPT *pw_crypt, UINT8 *hash) { @@ -227,8 +244,11 @@ EFI_STATUS password_crypt (const char *password, UINT32 pw_length, hash); break; case BLOWFISH_BASED: - /* TODO unsupported */ - status = EFI_UNSUPPORTED; + if (pw_crypt->salt_size != (7 + 22 + 1)) { + status = EFI_INVALID_PARAMETER; + break; + } + status = blowfish_crypt(password, (char *)pw_crypt->salt, hash); break; default: return EFI_INVALID_PARAMETER; diff --git a/crypt_blowfish.c b/crypt_blowfish.c new file mode 100644 index 0000000..366a81a --- /dev/null +++ b/crypt_blowfish.c @@ -0,0 +1,822 @@ +/* + * The crypt_blowfish homepage is: + * + * http://www.openwall.com/crypt/ + * + * This code comes from John the Ripper password cracker, with reentrant + * and crypt(3) interfaces added, but optimizations specific to password + * cracking removed. + * + * Written by Solar Designer in 1998-2011. + * No copyright is claimed, and the software is hereby placed in the public + * domain. In case this attempt to disclaim copyright and place the software + * in the public domain is deemed null and void, then the software is + * Copyright (c) 1998-2011 Solar Designer and it is hereby released to the + * general public under the following terms: + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted. + * + * There's ABSOLUTELY NO WARRANTY, express or implied. + * + * It is my intent that you should be able to use this on your system, + * as part of a software package, or anywhere else to improve security, + * ensure compatibility, or for any other purpose. I would appreciate + * it if you give credit where it is due and keep your modifications in + * the public domain as well, but I don't require that in order to let + * you place this code and any modifications you make under a license + * of your choice. + * + * This implementation is mostly compatible with OpenBSD's bcrypt.c (prefix + * "$2a$") by Niels Provos , and uses some of his + * ideas. The password hashing algorithm was designed by David Mazieres + * . For more information on the level of compatibility, + * prefer refer to the comments in BF_set_key() below and to the included + * crypt(3) man page. + * + * There's a paper on the algorithm that explains its design decisions: + * + * http://www.usenix.org/events/usenix99/provos.html + * + * Some of the tricks in BF_ROUND might be inspired by Eric Young's + * Blowfish library (I can't be sure if I would think of something if I + * hadn't seen his code). + */ + +#include +#include + +/* Just to make sure the prototypes match the actual definitions */ +#include "crypt_blowfish.h" + +typedef unsigned int BF_word; +typedef signed int BF_word_signed; + +/* Number of Blowfish rounds, this is also hardcoded into a few places */ +#define BF_N 16 + +typedef BF_word BF_key[BF_N + 2]; + +typedef struct { + BF_word S[4][0x100]; + BF_key P; +} BF_ctx; + +/* + * Magic IV for 64 Blowfish encryptions that we do at the end. + * The string is "OrpheanBeholderScryDoubt" on big-endian. + */ +static BF_word BF_magic_w[6] = { + 0x4F727068, 0x65616E42, 0x65686F6C, + 0x64657253, 0x63727944, 0x6F756274 +}; + +/* + * P-box and S-box tables initialized with digits of Pi. + */ +static BF_ctx BF_init_state = { + { + { + 0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7, + 0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99, + 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16, + 0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e, + 0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee, + 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013, + 0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef, + 0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e, + 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60, + 0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440, + 0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce, + 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a, + 0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e, + 0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677, + 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193, + 0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032, + 0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88, + 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239, + 0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e, + 0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0, + 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3, + 0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98, + 0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88, + 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe, + 0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6, + 0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d, + 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b, + 0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7, + 0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba, + 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463, + 0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f, + 0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09, + 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3, + 0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb, + 0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279, + 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8, + 0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab, + 0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82, + 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db, + 0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573, + 0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0, + 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b, + 0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790, + 0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8, + 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4, + 0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0, + 0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7, + 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c, + 0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad, + 0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1, + 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299, + 0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9, + 0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477, + 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf, + 0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49, + 0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af, + 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa, + 0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5, + 0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41, + 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915, + 0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400, + 0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915, + 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664, + 0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a + }, { + 0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623, + 0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266, + 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1, + 0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e, + 0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6, + 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1, + 0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e, + 0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1, + 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737, + 0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8, + 0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff, + 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd, + 0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701, + 0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7, + 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41, + 0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331, + 0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf, + 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af, + 0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e, + 0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87, + 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c, + 0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2, + 0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16, + 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd, + 0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b, + 0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509, + 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e, + 0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3, + 0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f, + 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a, + 0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4, + 0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960, + 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66, + 0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28, + 0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802, + 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84, + 0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510, + 0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf, + 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14, + 0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e, + 0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50, + 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7, + 0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8, + 0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281, + 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99, + 0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696, + 0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128, + 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73, + 0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0, + 0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0, + 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105, + 0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250, + 0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3, + 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285, + 0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00, + 0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061, + 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb, + 0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e, + 0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735, + 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc, + 0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9, + 0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340, + 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20, + 0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7 + }, { + 0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934, + 0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068, + 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af, + 0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840, + 0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45, + 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504, + 0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a, + 0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb, + 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee, + 0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6, + 0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42, + 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b, + 0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2, + 0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb, + 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527, + 0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b, + 0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33, + 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c, + 0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3, + 0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc, + 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17, + 0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564, + 0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b, + 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115, + 0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922, + 0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728, + 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0, + 0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e, + 0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37, + 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d, + 0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804, + 0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b, + 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3, + 0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb, + 0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d, + 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c, + 0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350, + 0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9, + 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a, + 0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe, + 0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d, + 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc, + 0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f, + 0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61, + 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2, + 0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9, + 0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2, + 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c, + 0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e, + 0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633, + 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10, + 0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169, + 0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52, + 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027, + 0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5, + 0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62, + 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634, + 0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76, + 0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24, + 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc, + 0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4, + 0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c, + 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837, + 0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0 + }, { + 0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b, + 0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe, + 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b, + 0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4, + 0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8, + 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6, + 0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304, + 0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22, + 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4, + 0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6, + 0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9, + 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59, + 0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593, + 0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51, + 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28, + 0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c, + 0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b, + 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28, + 0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c, + 0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd, + 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a, + 0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319, + 0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb, + 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f, + 0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991, + 0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32, + 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680, + 0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166, + 0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae, + 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb, + 0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5, + 0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47, + 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370, + 0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d, + 0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84, + 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048, + 0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8, + 0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd, + 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9, + 0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7, + 0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38, + 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f, + 0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c, + 0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525, + 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1, + 0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442, + 0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964, + 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e, + 0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8, + 0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d, + 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f, + 0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299, + 0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02, + 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc, + 0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614, + 0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a, + 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6, + 0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b, + 0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0, + 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060, + 0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e, + 0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9, + 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f, + 0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6 + } + }, { + 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344, + 0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89, + 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c, + 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917, + 0x9216d5d9, 0x8979fb1b + } +}; + +static unsigned char BF_itoa64[64 + 1] = + "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; + +static unsigned char BF_atoi64[0x60] = { + 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 0, 1, + 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 64, 64, 64, 64, 64, + 64, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, + 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 64, 64, 64, 64, 64, + 64, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, + 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 64, 64, 64, 64, 64 +}; + +#define BF_safe_atoi64(dst, src) \ +{ \ + tmp = (unsigned char)(src); \ + if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \ + tmp = BF_atoi64[tmp]; \ + if (tmp > 63) return -1; \ + (dst) = tmp; \ +} + +static int BF_decode(BF_word *dst, const char *src, int size) +{ + unsigned char *dptr = (unsigned char *)dst; + unsigned char *end = dptr + size; + const unsigned char *sptr = (const unsigned char *)src; + unsigned int tmp, c1, c2, c3, c4; + + do { + BF_safe_atoi64(c1, *sptr++); + BF_safe_atoi64(c2, *sptr++); + *dptr++ = (c1 << 2) | ((c2 & 0x30) >> 4); + if (dptr >= end) break; + + BF_safe_atoi64(c3, *sptr++); + *dptr++ = ((c2 & 0x0F) << 4) | ((c3 & 0x3C) >> 2); + if (dptr >= end) break; + + BF_safe_atoi64(c4, *sptr++); + *dptr++ = ((c3 & 0x03) << 6) | c4; + } while (dptr < end); + + return 0; +} + +static void BF_encode(char *dst, const BF_word *src, int size) +{ + const unsigned char *sptr = (const unsigned char *)src; + const unsigned char *end = sptr + size; + unsigned char *dptr = (unsigned char *)dst; + unsigned int c1, c2; + + do { + c1 = *sptr++; + *dptr++ = BF_itoa64[c1 >> 2]; + c1 = (c1 & 0x03) << 4; + if (sptr >= end) { + *dptr++ = BF_itoa64[c1]; + break; + } + + c2 = *sptr++; + c1 |= c2 >> 4; + *dptr++ = BF_itoa64[c1]; + c1 = (c2 & 0x0f) << 2; + if (sptr >= end) { + *dptr++ = BF_itoa64[c1]; + break; + } + + c2 = *sptr++; + c1 |= c2 >> 6; + *dptr++ = BF_itoa64[c1]; + *dptr++ = BF_itoa64[c2 & 0x3f]; + } while (sptr < end); +} + +static void BF_swap(BF_word *x, int count) +{ + static int endianness_check = 1; + char *is_little_endian = (char *)&endianness_check; + BF_word tmp; + + if (*is_little_endian) + do { + tmp = *x; + tmp = (tmp << 16) | (tmp >> 16); + *x++ = ((tmp & 0x00FF00FF) << 8) | ((tmp >> 8) & 0x00FF00FF); + } while (--count); +} + +/* Architectures which can shift addresses left by 2 bits with no extra cost */ +#define BF_ROUND(L, R, N) \ + tmp1 = L & 0xFF; \ + tmp2 = L >> 8; \ + tmp2 &= 0xFF; \ + tmp3 = L >> 16; \ + tmp3 &= 0xFF; \ + tmp4 = L >> 24; \ + tmp1 = data.ctx.S[3][tmp1]; \ + tmp2 = data.ctx.S[2][tmp2]; \ + tmp3 = data.ctx.S[1][tmp3]; \ + tmp3 += data.ctx.S[0][tmp4]; \ + tmp3 ^= tmp2; \ + R ^= data.ctx.P[N + 1]; \ + tmp3 += tmp1; \ + R ^= tmp3; + +/* + * Encrypt one block, BF_N is hardcoded here. + */ +#define BF_ENCRYPT \ + L ^= data.ctx.P[0]; \ + BF_ROUND(L, R, 0); \ + BF_ROUND(R, L, 1); \ + BF_ROUND(L, R, 2); \ + BF_ROUND(R, L, 3); \ + BF_ROUND(L, R, 4); \ + BF_ROUND(R, L, 5); \ + BF_ROUND(L, R, 6); \ + BF_ROUND(R, L, 7); \ + BF_ROUND(L, R, 8); \ + BF_ROUND(R, L, 9); \ + BF_ROUND(L, R, 10); \ + BF_ROUND(R, L, 11); \ + BF_ROUND(L, R, 12); \ + BF_ROUND(R, L, 13); \ + BF_ROUND(L, R, 14); \ + BF_ROUND(R, L, 15); \ + tmp4 = R; \ + R = L; \ + L = tmp4 ^ data.ctx.P[BF_N + 1]; + +#define BF_body() \ + L = R = 0; \ + ptr = data.ctx.P; \ + do { \ + ptr += 2; \ + BF_ENCRYPT; \ + *(ptr - 2) = L; \ + *(ptr - 1) = R; \ + } while (ptr < &data.ctx.P[BF_N + 2]); \ +\ + ptr = data.ctx.S[0]; \ + do { \ + ptr += 2; \ + BF_ENCRYPT; \ + *(ptr - 2) = L; \ + *(ptr - 1) = R; \ + } while (ptr < &data.ctx.S[3][0xFF]); + +static void BF_set_key(const char *key, BF_key expanded, BF_key initial, + unsigned char flags) +{ + const char *ptr = key; + unsigned int bug, i, j; + BF_word safety, sign, diff, tmp[2]; + +/* + * There was a sign extension bug in older revisions of this function. While + * we would have liked to simply fix the bug and move on, we have to provide + * a backwards compatibility feature (essentially the bug) for some systems and + * a safety measure for some others. The latter is needed because for certain + * multiple inputs to the buggy algorithm there exist easily found inputs to + * the correct algorithm that produce the same hash. Thus, we optionally + * deviate from the correct algorithm just enough to avoid such collisions. + * While the bug itself affected the majority of passwords containing + * characters with the 8th bit set (although only a percentage of those in a + * collision-producing way), the anti-collision safety measure affects + * only a subset of passwords containing the '\xff' character (not even all of + * those passwords, just some of them). This character is not found in valid + * UTF-8 sequences and is rarely used in popular 8-bit character encodings. + * Thus, the safety measure is unlikely to cause much annoyance, and is a + * reasonable tradeoff to use when authenticating against existing hashes that + * are not reliably known to have been computed with the correct algorithm. + * + * We use an approach that tries to minimize side-channel leaks of password + * information - that is, we mostly use fixed-cost bitwise operations instead + * of branches or table lookups. (One conditional branch based on password + * length remains. It is not part of the bug aftermath, though, and is + * difficult and possibly unreasonable to avoid given the use of C strings by + * the caller, which results in similar timing leaks anyway.) + * + * For actual implementation, we set an array index in the variable "bug" + * (0 means no bug, 1 means sign extension bug emulation) and a flag in the + * variable "safety" (bit 16 is set when the safety measure is requested). + * Valid combinations of settings are: + * + * Prefix "$2a$": bug = 0, safety = 0x10000 + * Prefix "$2x$": bug = 1, safety = 0 + * Prefix "$2y$": bug = 0, safety = 0 + */ + bug = (unsigned int)flags & 1; + safety = ((BF_word)flags & 2) << 15; + + sign = diff = 0; + + for (i = 0; i < BF_N + 2; i++) { + tmp[0] = tmp[1] = 0; + for (j = 0; j < 4; j++) { + tmp[0] <<= 8; + tmp[0] |= (unsigned char)*ptr; /* correct */ + tmp[1] <<= 8; + tmp[1] |= (BF_word_signed)(signed char)*ptr; /* bug */ +/* + * Sign extension in the first char has no effect - nothing to overwrite yet, + * and those extra 24 bits will be fully shifted out of the 32-bit word. For + * chars 2, 3, 4 in each four-char block, we set bit 7 of "sign" if sign + * extension in tmp[1] occurs. Once this flag is set, it remains set. + */ + if (j) + sign |= tmp[1] & 0x80; + if (!*ptr) + ptr = key; + else + ptr++; + } + diff |= tmp[0] ^ tmp[1]; /* Non-zero on any differences */ + + expanded[i] = tmp[bug]; + initial[i] = BF_init_state.P[i] ^ tmp[bug]; + } + +/* + * At this point, "diff" is zero iff the correct and buggy algorithms produced + * exactly the same result. If so and if "sign" is non-zero, which indicates + * that there was a non-benign sign extension, this means that we have a + * collision between the correctly computed hash for this password and a set of + * passwords that could be supplied to the buggy algorithm. Our safety measure + * is meant to protect from such many-buggy to one-correct collisions, by + * deviating from the correct algorithm in such cases. Let's check for this. + */ + diff |= diff >> 16; /* still zero iff exact match */ + diff &= 0xffff; /* ditto */ + diff += 0xffff; /* bit 16 set iff "diff" was non-zero (on non-match) */ + sign <<= 9; /* move the non-benign sign extension flag to bit 16 */ + sign &= ~diff & safety; /* action needed? */ + +/* + * If we have determined that we need to deviate from the correct algorithm, + * flip bit 16 in initial expanded key. (The choice of 16 is arbitrary, but + * let's stick to it now. It came out of the approach we used above, and it's + * not any worse than any other choice we could make.) + * + * It is crucial that we don't do the same to the expanded key used in the main + * Eksblowfish loop. By doing it to only one of these two, we deviate from a + * state that could be directly specified by a password to the buggy algorithm + * (and to the fully correct one as well, but that's a side-effect). + */ + initial[0] ^= sign; +} + +static char *BF_crypt(const char *key, const char *setting, + char *output, int size, + BF_word min) +{ + static const unsigned char flags_by_subtype[26] = + {2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 4, 0}; + struct { + BF_ctx ctx; + BF_key expanded_key; + union { + BF_word salt[4]; + BF_word output[6]; + } binary; + } data; + BF_word L, R; + BF_word tmp1, tmp2, tmp3, tmp4; + BF_word *ptr; + BF_word count; + int i; + + if (size < 7 + 22 + 31 + 1) { + return NULL; + } + + if (setting[0] != '$' || + setting[1] != '2' || + setting[2] < 'a' || setting[2] > 'z' || + !flags_by_subtype[(unsigned int)(unsigned char)setting[2] - 'a'] || + setting[3] != '$' || + setting[4] < '0' || setting[4] > '3' || + setting[5] < '0' || setting[5] > '9' || + (setting[4] == '3' && setting[5] > '1') || + setting[6] != '$') { + return NULL; + } + + count = (BF_word)1 << ((setting[4] - '0') * 10 + (setting[5] - '0')); + if (count < min || BF_decode(data.binary.salt, &setting[7], 16)) { + return NULL; + } + BF_swap(data.binary.salt, 4); + + BF_set_key(key, data.expanded_key, data.ctx.P, + flags_by_subtype[(unsigned int)(unsigned char)setting[2] - 'a']); + + CopyMem(data.ctx.S, BF_init_state.S, sizeof(data.ctx.S)); + + L = R = 0; + for (i = 0; i < BF_N + 2; i += 2) { + L ^= data.binary.salt[i & 2]; + R ^= data.binary.salt[(i & 2) + 1]; + BF_ENCRYPT; + data.ctx.P[i] = L; + data.ctx.P[i + 1] = R; + } + + ptr = data.ctx.S[0]; + do { + ptr += 4; + L ^= data.binary.salt[(BF_N + 2) & 3]; + R ^= data.binary.salt[(BF_N + 3) & 3]; + BF_ENCRYPT; + *(ptr - 4) = L; + *(ptr - 3) = R; + + L ^= data.binary.salt[(BF_N + 4) & 3]; + R ^= data.binary.salt[(BF_N + 5) & 3]; + BF_ENCRYPT; + *(ptr - 2) = L; + *(ptr - 1) = R; + } while (ptr < &data.ctx.S[3][0xFF]); + + do { + int done; + + for (i = 0; i < BF_N + 2; i += 2) { + data.ctx.P[i] ^= data.expanded_key[i]; + data.ctx.P[i + 1] ^= data.expanded_key[i + 1]; + } + + done = 0; + do { + BF_body(); + if (done) + break; + done = 1; + + tmp1 = data.binary.salt[0]; + tmp2 = data.binary.salt[1]; + tmp3 = data.binary.salt[2]; + tmp4 = data.binary.salt[3]; + for (i = 0; i < BF_N; i += 4) { + data.ctx.P[i] ^= tmp1; + data.ctx.P[i + 1] ^= tmp2; + data.ctx.P[i + 2] ^= tmp3; + data.ctx.P[i + 3] ^= tmp4; + } + data.ctx.P[16] ^= tmp1; + data.ctx.P[17] ^= tmp2; + } while (1); + } while (--count); + + for (i = 0; i < 6; i += 2) { + L = BF_magic_w[i]; + R = BF_magic_w[i + 1]; + + count = 64; + do { + BF_ENCRYPT; + } while (--count); + + data.binary.output[i] = L; + data.binary.output[i + 1] = R; + } + + CopyMem(output, (void *)setting, 7 + 22 - 1); + output[7 + 22 - 1] = BF_itoa64[(int) + BF_atoi64[(int)setting[7 + 22 - 1] - 0x20] & 0x30]; + +/* This has to be bug-compatible with the original implementation, so + * only encode 23 of the 24 bytes. :-) */ + BF_swap(data.binary.output, 6); + BF_encode(&output[7 + 22], data.binary.output, 23); + output[7 + 22 + 31] = '\0'; + + return output; +} + +int _crypt_output_magic(const char *setting, char *output, int size) +{ + if (size < 3) + return -1; + + output[0] = '*'; + output[1] = '0'; + output[2] = '\0'; + + if (setting[0] == '*' && setting[1] == '0') + output[1] = '1'; + + return 0; +} + +/* + * Please preserve the runtime self-test. It serves two purposes at once: + * + * 1. We really can't afford the risk of producing incompatible hashes e.g. + * when there's something like gcc bug 26587 again, whereas an application or + * library integrating this code might not also integrate our external tests or + * it might not run them after every build. Even if it does, the miscompile + * might only occur on the production build, but not on a testing build (such + * as because of different optimization settings). It is painful to recover + * from incorrectly-computed hashes - merely fixing whatever broke is not + * enough. Thus, a proactive measure like this self-test is needed. + * + * 2. We don't want to leave sensitive data from our actual password hash + * computation on the stack or in registers. Previous revisions of the code + * would do explicit cleanups, but simply running the self-test after hash + * computation is more reliable. + * + * The performance cost of this quick self-test is around 0.6% at the "$2a$08" + * setting. + */ +char *crypt_blowfish_rn(const char *key, const char *setting, + char *output, int size) +{ + const char *test_key = "8b \xd0\xc1\xd2\xcf\xcc\xd8"; + const char *test_setting = "$2a$00$abcdefghijklmnopqrstuu"; + static const char * const test_hash[2] = + {"VUrPmXD6q/nVSSp7pNDhCR9071IfIRe\0\x55", /* $2x$ */ + "i1D709vfamulimlGcq0qq3UvuUasvEa\0\x55"}; /* $2a$, $2y$ */ + char *retval; + const char *p; + int ok; + struct { + char s[7 + 22 + 1]; + char o[7 + 22 + 31 + 1 + 1 + 1]; + } buf; + +/* Hash the supplied password */ + _crypt_output_magic(setting, output, size); + retval = BF_crypt(key, setting, output, size, 16); + +/* + * Do a quick self-test. It is important that we make both calls to BF_crypt() + * from the same scope such that they likely use the same stack locations, + * which makes the second call overwrite the first call's sensitive data on the + * stack and makes it more likely that any alignment related issues would be + * detected by the self-test. + */ + CopyMem(buf.s, (void *)test_setting, sizeof(buf.s)); + if (retval) + buf.s[2] = setting[2]; + SetMem(buf.o, sizeof(buf.o), 0x55); + buf.o[sizeof(buf.o) - 1] = 0; + p = BF_crypt(test_key, buf.s, buf.o, sizeof(buf.o) - (1 + 1), 1); + + ok = (p == buf.o && + !CompareMem((void *)p, (void *)buf.s, 7 + 22) && + !CompareMem((void *)(p + (7 + 22)), + (void *)test_hash[(unsigned int)(unsigned char)buf.s[2] & 1], + 31 + 1 + 1 + 1)); + + { + const char *k = "\xff\xa3" "34" "\xff\xff\xff\xa3" "345"; + BF_key ae, ai, ye, yi; + BF_set_key(k, ae, ai, 2); /* $2a$ */ + BF_set_key(k, ye, yi, 4); /* $2y$ */ + ai[0] ^= 0x10000; /* undo the safety (for comparison) */ + ok = ok && ai[0] == 0xdb9c59bc && ye[17] == 0x33343500 && + !CompareMem(ae, ye, sizeof(ae)) && + !CompareMem(ai, yi, sizeof(ai)); + } + + if (ok) + return retval; + +/* Should not happen */ + _crypt_output_magic(setting, output, size); + return NULL; +} diff --git a/crypt_blowfish.h b/crypt_blowfish.h new file mode 100644 index 0000000..dc3bd56 --- /dev/null +++ b/crypt_blowfish.h @@ -0,0 +1,22 @@ +/* + * Written by Solar Designer in 2000-2011. + * No copyright is claimed, and the software is hereby placed in the public + * domain. In case this attempt to disclaim copyright and place the software + * in the public domain is deemed null and void, then the software is + * Copyright (c) 2000-2011 Solar Designer and it is hereby released to the + * general public under the following terms: + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted. + * + * There's ABSOLUTELY NO WARRANTY, express or implied. + * + * See crypt_blowfish.c for more information. + */ + +#ifndef _CRYPT_BLOWFISH_H +#define _CRYPT_BLOWFISH_H + +char *crypt_blowfish_rn(const char *key, const char *setting, + char *output, int size); +#endif From be5c35e1ac98c9b6f4e194b35bfaa5efb095cce7 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 26 Sep 2013 11:58:01 -0400 Subject: [PATCH 027/163] MokManager: support MD5-based crypt() hash --- PasswordCrypt.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 67 insertions(+), 1 deletion(-) diff --git a/PasswordCrypt.c b/PasswordCrypt.c index 38b980f..8483498 100644 --- a/PasswordCrypt.c +++ b/PasswordCrypt.c @@ -28,6 +28,69 @@ UINT16 get_hash_size (const UINT16 method) return 0; } +static const char md5_salt_prefix[] = "$1$"; + +static EFI_STATUS md5_crypt (const char *key, UINT32 key_len, + const char *salt, UINT32 salt_size, + UINT8 *hash) +{ + MD5_CTX ctx, alt_ctx; + UINT8 alt_result[MD5_DIGEST_LENGTH]; + UINTN cnt; + + MD5_Init(&ctx); + MD5_Update(&ctx, key, key_len); + MD5_Update(&ctx, md5_salt_prefix, sizeof(md5_salt_prefix) - 1); + MD5_Update(&ctx, salt, salt_size); + + MD5_Init(&alt_ctx); + MD5_Update(&alt_ctx, key, key_len); + MD5_Update(&alt_ctx, salt, salt_size); + MD5_Update(&alt_ctx, key, key_len); + MD5_Final(alt_result, &alt_ctx); + + for (cnt = key_len; cnt > 16; cnt -= 16) + MD5_Update(&ctx, alt_result, 16); + MD5_Update(&ctx, alt_result, cnt); + + *alt_result = '\0'; + + for (cnt = key_len; cnt > 0; cnt >>= 1) { + if ((cnt & 1) != 0) { + MD5_Update(&ctx, alt_result, 1); + } else { + MD5_Update(&ctx, key, 1); + } + } + MD5_Final(alt_result, &ctx); + + for (cnt = 0; cnt < 1000; ++cnt) { + MD5_Init(&ctx); + + if ((cnt & 1) != 0) + MD5_Update(&ctx, key, key_len); + else + MD5_Update(&ctx, alt_result, 16); + + if (cnt % 3 != 0) + MD5_Update(&ctx, salt, salt_size); + + if (cnt % 7 != 0) + MD5_Update(&ctx, key, key_len); + + if ((cnt & 1) != 0) + MD5_Update(&ctx, alt_result, 16); + else + MD5_Update(&ctx, key, key_len); + + MD5_Final(alt_result, &ctx); + } + + CopyMem(hash, alt_result, MD5_DIGEST_LENGTH); + + return EFI_SUCCESS; +} + static EFI_STATUS sha256_crypt (const char *key, UINT32 key_len, const char *salt, UINT32 salt_size, const UINT32 rounds, UINT8 *hash) @@ -229,10 +292,13 @@ EFI_STATUS password_crypt (const char *password, UINT32 pw_length, switch (pw_crypt->method) { case TRANDITIONAL_DES: case EXTEND_BSDI_DES: - case MD5_BASED: /* TODO unsupported */ status = EFI_UNSUPPORTED; break; + case MD5_BASED: + status = md5_crypt (password, pw_length, (char *)pw_crypt->salt, + pw_crypt->salt_size, hash); + break; case SHA256_BASED: status = sha256_crypt(password, pw_length, (char *)pw_crypt->salt, pw_crypt->salt_size, pw_crypt->iter_count, From 908eacc22512a61b7297460b9c7b61e5f45e01fd Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 26 Sep 2013 11:58:01 -0400 Subject: [PATCH 028/163] MokManager: support Tradition DES hash --- PasswordCrypt.c | 28 +++++++++++++++++++++++----- PasswordCrypt.h | 2 +- 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/PasswordCrypt.c b/PasswordCrypt.c index 8483498..8d72a82 100644 --- a/PasswordCrypt.c +++ b/PasswordCrypt.c @@ -3,18 +3,21 @@ #include #include #include +#include #include "PasswordCrypt.h" #include "crypt_blowfish.h" +#define TRAD_DES_HASH_SIZE 13 /* (64/6+1) + (12/6) */ +#define BSDI_DES_HASH_SIZE 20 /* (64/6+1) + (24/6) + 4 + 1 */ #define BLOWFISH_HASH_SIZE 31 /* 184/6+1 */ UINT16 get_hash_size (const UINT16 method) { switch (method) { - case TRANDITIONAL_DES: - return 64 / 8; /* per "man crypt" */ + case TRADITIONAL_DES: + return TRAD_DES_HASH_SIZE; case EXTEND_BSDI_DES: - return 64 / 8; /* per "man crypt" */ + return BSDI_DES_HASH_SIZE; case MD5_BASED: return MD5_DIGEST_LENGTH; case SHA256_BASED: @@ -28,6 +31,20 @@ UINT16 get_hash_size (const UINT16 method) return 0; } +static EFI_STATUS trad_des_crypt (const char *key, const char *salt, UINT8 *hash) +{ + char result[TRAD_DES_HASH_SIZE + 1]; + char *ret; + + ret = DES_fcrypt(key, salt, result); + if (ret) { + CopyMem(hash, result, TRAD_DES_HASH_SIZE); + return EFI_SUCCESS; + } + + return EFI_UNSUPPORTED; +} + static const char md5_salt_prefix[] = "$1$"; static EFI_STATUS md5_crypt (const char *key, UINT32 key_len, @@ -290,9 +307,10 @@ EFI_STATUS password_crypt (const char *password, UINT32 pw_length, return EFI_INVALID_PARAMETER; switch (pw_crypt->method) { - case TRANDITIONAL_DES: + case TRADITIONAL_DES: + status = trad_des_crypt (password, (char *)pw_crypt->salt, hash); + break; case EXTEND_BSDI_DES: - /* TODO unsupported */ status = EFI_UNSUPPORTED; break; case MD5_BASED: diff --git a/PasswordCrypt.h b/PasswordCrypt.h index 144bf84..b726f32 100644 --- a/PasswordCrypt.h +++ b/PasswordCrypt.h @@ -2,7 +2,7 @@ #define __PASSWORD_CRYPT_H__ enum HashMethod { - TRANDITIONAL_DES = 0, + TRADITIONAL_DES = 0, EXTEND_BSDI_DES, MD5_BASED, SHA256_BASED, From f9f81a22dd8794850f58b27e984162b539de1344 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 26 Sep 2013 11:58:01 -0400 Subject: [PATCH 029/163] Fix the broken bootpath - The file path from DevicePathToStr may use slash as the file seperator. Change all slashes to backslashes to avoid the strange bootpath. - Remove the redundant backslashes. - ImagePath no longer requires the leading backslash. - Fix a memory leak Based on the patch from Michal Marek --- shim.c | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/shim.c b/shim.c index d2ff51a..5c78406 100644 --- a/shim.c +++ b/shim.c @@ -995,15 +995,25 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath, pathlen = StrLen(bootpath); + /* + * DevicePathToStr() concatenates two nodes with '/'. + * Convert '/' to '\\'. + */ + for (i = 0; i < pathlen; i++) { + if (bootpath[i] == '/') + bootpath[i] = '\\'; + } for (i=pathlen; i>0; i--) { - if (bootpath[i] == '\\') + if (bootpath[i] == '\\' && bootpath[i-1] != '\\') break; } + if (bootpath[i] == '\\') + bootpath[i+1] = '\0'; + else + bootpath[0] = '\0'; - bootpath[i+1] = '\0'; - - if (i == 0 || bootpath[i-i] == '\\') - bootpath[i] = '\0'; + while (*ImagePath == '\\') + ImagePath++; *PathName = AllocatePool(StrSize(bootpath) + StrSize(ImagePath)); @@ -1021,6 +1031,8 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath, *grubpath = FileDevicePath(device, *PathName); error: + FreePool(bootpath); + return efi_status; } From 436afcc276d2400ac5fd65d4300047b266901d16 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 26 Sep 2013 11:58:01 -0400 Subject: [PATCH 030/163] Remove double-separators from the bootpath --- shim.c | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/shim.c b/shim.c index 5c78406..9b1117f 100644 --- a/shim.c +++ b/shim.c @@ -983,7 +983,7 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath, { EFI_DEVICE_PATH *devpath; EFI_HANDLE device; - int i; + int i, j, last = -1; unsigned int pathlen = 0; EFI_STATUS efi_status = EFI_SUCCESS; CHAR16 *bootpath; @@ -1003,14 +1003,27 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath, if (bootpath[i] == '/') bootpath[i] = '\\'; } + for (i=pathlen; i>0; i--) { - if (bootpath[i] == '\\' && bootpath[i-1] != '\\') - break; + if (bootpath[i] == '\\' && bootpath[i-1] == '\\') + bootpath[i] = '/'; + else if (last == -1 && bootpath[i] == '\\') + last = i; + } + + if (last == -1 && bootpath[0] == '\\') + last = 0; + bootpath[last+1] = '\0'; + + if (last > 0) { + for (i = 0, j = 0; bootpath[i] != '\0'; i++) { + if (bootpath[i] != '/') { + bootpath[j] = bootpath[i]; + j++; + } + } + bootpath[j] = '\0'; } - if (bootpath[i] == '\\') - bootpath[i+1] = '\0'; - else - bootpath[0] = '\0'; while (*ImagePath == '\\') ImagePath++; From bd145c6082bde9740548ad7f88261008524ede15 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 26 Sep 2013 11:58:02 -0400 Subject: [PATCH 031/163] Define the PXE 2nd stage loader in the beginning of the file Make it easier to change the PXE 2nd stage loader. Conflicts: netboot.c --- netboot.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/netboot.c b/netboot.c index a8904fd..3cb678a 100644 --- a/netboot.c +++ b/netboot.c @@ -39,6 +39,7 @@ #include "shim.h" #include "netboot.h" +#define DEFAULT_LOADER "/grub.efi" static inline unsigned short int __swap16(unsigned short int x) { @@ -228,7 +229,7 @@ static BOOLEAN extract_tftp_info(CHAR8 *url) { CHAR8 *start, *end; char ip6str[40]; - CHAR8 *template = (CHAR8 *)"/grubx64.efi"; + CHAR8 *template = DEFAULT_LOADER; if (strncmp((UINT8 *)url, (UINT8 *)"tftp://", 7)) { Print(L"URLS MUST START WITH tftp://\n"); @@ -288,7 +289,7 @@ static EFI_STATUS parseDhcp6() static EFI_STATUS parseDhcp4() { - CHAR8 *template = (CHAR8 *)"/grubx64.efi"; + CHAR8 *template = DEFAULT_LOADER; full_path = AllocateZeroPool(strlen(template)+1); if (!full_path) From e053c227014dcaa9c2c9a63bbd00dfe149bfc468 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 26 Sep 2013 11:58:02 -0400 Subject: [PATCH 032/163] Since different distros name grub*.efi differently, make it compile-time. Basically, if you don't want grub.efi, you do: make 'DEFAULT_LOADER=\\\\grubx64.efi' Signed-off-by: Peter Jones --- Makefile | 3 +++ netboot.c | 24 ++++++++++++++++++++---- shim.c | 1 - 3 files changed, 23 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index fc4f131..0e40022 100644 --- a/Makefile +++ b/Makefile @@ -14,9 +14,12 @@ EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/ EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o EFI_LDS = elf_$(ARCH)_efi.lds +DEFAULT_LOADER := \\\\grub.efi CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ -fshort-wchar -Wall -Werror -mno-red-zone -maccumulate-outgoing-args \ -mno-mmx -mno-sse \ + "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ + "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \ $(EFI_INCLUDES) ifeq ($(ARCH),x86_64) CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI diff --git a/netboot.c b/netboot.c index 3cb678a..3554fc8 100644 --- a/netboot.c +++ b/netboot.c @@ -39,8 +39,6 @@ #include "shim.h" #include "netboot.h" -#define DEFAULT_LOADER "/grub.efi" - static inline unsigned short int __swap16(unsigned short int x) { __asm__("xchgb %b0,%h0" @@ -63,6 +61,24 @@ typedef struct { UINT8 Data[1]; } EFI_DHCP6_PACKET_OPTION; +static CHAR8 * +translate_slashes(char *str) +{ + int i; + int j; + if (str == NULL) + return (CHAR8 *)str; + + for (i = 0, j = 0; str[i] != '\0'; i++, j++) { + if (str[i] == '\\') { + str[j] = '/'; + if (str[i+1] == '\\') + i++; + } + } + return (CHAR8 *)str; +} + /* * usingNetboot * Returns TRUE if we identify a protocol that is enabled and Providing us with @@ -229,7 +245,7 @@ static BOOLEAN extract_tftp_info(CHAR8 *url) { CHAR8 *start, *end; char ip6str[40]; - CHAR8 *template = DEFAULT_LOADER; + CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR); if (strncmp((UINT8 *)url, (UINT8 *)"tftp://", 7)) { Print(L"URLS MUST START WITH tftp://\n"); @@ -289,7 +305,7 @@ static EFI_STATUS parseDhcp6() static EFI_STATUS parseDhcp4() { - CHAR8 *template = DEFAULT_LOADER; + CHAR8 *template = (CHAR8 *)DEFAULT_LOADER_CHAR; full_path = AllocateZeroPool(strlen(template)+1); if (!full_path) diff --git a/shim.c b/shim.c index 9b1117f..8227013 100644 --- a/shim.c +++ b/shim.c @@ -43,7 +43,6 @@ #include "shim_cert.h" #include "ucs2.h" -#define DEFAULT_LOADER L"\\grub.efi" #define FALLBACK L"\\fallback.efi" #define MOK_MANAGER L"\\MokManager.efi" From d71240bffff7a3813d75e14120ef800293e0214c Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 26 Sep 2013 11:58:02 -0400 Subject: [PATCH 033/163] Correct the certificate count of the signature list --- shim.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shim.c b/shim.c index 8227013..3628543 100644 --- a/shim.c +++ b/shim.c @@ -232,7 +232,7 @@ static CHECK_STATUS check_db_cert_in_ram(EFI_SIGNATURE_LIST *CertList, while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) { if (CompareGuid (&CertList->SignatureType, &CertType) == 0) { - CertCount = (CertList->SignatureListSize - CertList->SignatureHeaderSize) / CertList->SignatureSize; + CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize; Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize); for (Index = 0; Index < CertCount; Index++) { IsFound = AuthenticodeVerify (data->CertData, @@ -297,7 +297,7 @@ static CHECK_STATUS check_db_hash_in_ram(EFI_SIGNATURE_LIST *CertList, BOOLEAN IsFound = FALSE; while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) { - CertCount = (CertList->SignatureListSize - CertList->SignatureHeaderSize) / CertList->SignatureSize; + CertCount = (CertList->SignatureListSize -sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize; Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize); if (CompareGuid(&CertList->SignatureType, &CertType) == 0) { for (Index = 0; Index < CertCount; Index++) { From 8371c49ce7d1ca42a693620deb99b036dc29eca3 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 26 Sep 2013 11:58:02 -0400 Subject: [PATCH 034/163] MokManager: Remove the unnecessary string duplication --- MokManager.c | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/MokManager.c b/MokManager.c index 4cf836f..aacef61 100644 --- a/MokManager.c +++ b/MokManager.c @@ -1448,45 +1448,45 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, return EFI_OUT_OF_RESOURCES; } - menu_strings[i] = StrDuplicate(L"Continue boot"); + menu_strings[i] = L"Continue boot"; menu_item[i] = MOK_CONTINUE_BOOT; i++; if (MokNew || MokAuth) { if (!MokNew) { - menu_strings[i] = StrDuplicate(L"Reset MOK"); + menu_strings[i] = L"Reset MOK"; menu_item[i] = MOK_RESET_MOK; } else { - menu_strings[i] = StrDuplicate(L"Enroll MOK"); + menu_strings[i] = L"Enroll MOK"; menu_item[i] = MOK_ENROLL_MOK; } i++; } if (MokDel || MokDelAuth) { - menu_strings[i] = StrDuplicate(L"Delete MOK"); + menu_strings[i] = L"Delete MOK"; menu_item[i] = MOK_DELETE_MOK; i++; } if (MokSB) { - menu_strings[i] = StrDuplicate(L"Change Secure Boot state"); + menu_strings[i] = L"Change Secure Boot state"; menu_item[i] = MOK_CHANGE_SB; i++; } if (MokPW) { - menu_strings[i] = StrDuplicate(L"Set MOK password"); + menu_strings[i] = L"Set MOK password"; menu_item[i] = MOK_SET_PW; i++; } - menu_strings[i] = StrDuplicate(L"Enroll key from disk"); + menu_strings[i] = L"Enroll key from disk"; menu_item[i] = MOK_KEY_ENROLL; i++; - menu_strings[i] = StrDuplicate(L"Enroll hash from disk"); + menu_strings[i] = L"Enroll hash from disk"; menu_item[i] = MOK_HASH_ENROLL; i++; @@ -1529,9 +1529,6 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, out: console_reset(); - for (i=0; menu_strings[i] != NULL; i++) - FreePool(menu_strings[i]); - FreePool(menu_strings); if (menu_item) From 9a86568e1918bb38d3f134ed3451b380f09c2b1a Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 26 Sep 2013 11:58:02 -0400 Subject: [PATCH 035/163] MokManager: draw the countdown screen --- MokManager.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/MokManager.c b/MokManager.c index aacef61..67c49ad 100644 --- a/MokManager.c +++ b/MokManager.c @@ -1375,6 +1375,63 @@ static BOOLEAN verify_pw(void) return TRUE; } +static int draw_countdown() +{ + SIMPLE_TEXT_OUTPUT_MODE SavedMode; + EFI_INPUT_KEY key; + EFI_STATUS status; + UINTN cols, rows; + CHAR16 *title[2]; + CHAR16 *message = L"Press any key to perform MOK management"; + int timeout = 10, wait = 10000000; + + CopyMem(&SavedMode, ST->ConOut->Mode, sizeof(SavedMode)); + uefi_call_wrapper(ST->ConOut->EnableCursor, 2, ST->ConOut, FALSE); + uefi_call_wrapper(ST->ConOut->SetAttribute, 2, ST->ConOut, + EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE); + + title[0] = PoolPrint (L"%s UEFI key management", SHIM_VENDOR); + title[1] = NULL; + + console_print_box_at(title, -1, 0, 0, -1, -1, 1, 1); + + uefi_call_wrapper(ST->ConOut->QueryMode, 4, ST->ConOut, + ST->ConOut->Mode->Mode, &cols, &rows); + + PrintAt((cols - StrLen(message))/2, rows/2, message); + while (1) { + if (timeout > 1) + PrintAt(2, rows - 3, L"Booting in %d seconds ", timeout); + else if (timeout) + PrintAt(2, rows - 3, L"Booting in %d second ", timeout); + + status = WaitForSingleEvent(ST->ConIn->WaitForKey, wait); + + if (status != EFI_TIMEOUT) { + /* Clear the key in the queue */ + uefi_call_wrapper(ST->ConIn->ReadKeyStroke, 2, + ST->ConIn, &key); + break; + } + + timeout--; + if (!timeout) + break; + } + + FreePool(title[0]); + + /* Restore everything */ + uefi_call_wrapper(ST->ConOut->EnableCursor, 2, ST->ConOut, + SavedMode.CursorVisible); + uefi_call_wrapper(ST->ConOut->SetCursorPosition, 3, ST->ConOut, + SavedMode.CursorColumn, SavedMode.CursorRow); + uefi_call_wrapper(ST->ConOut->SetAttribute, 2, ST->ConOut, + SavedMode.Attribute); + + return timeout; +} + typedef enum { MOK_CONTINUE_BOOT, MOK_RESET_MOK, @@ -1492,6 +1549,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, menu_strings[i] = NULL; + if (draw_countdown() == 0) + goto out; + while (choice >= 0) { choice = console_select((CHAR16 *[]){ L"Perform MOK management", NULL }, menu_strings, 0); From 44d7d0e66819790e9f3de20693ffc6374182d063 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 26 Sep 2013 11:58:02 -0400 Subject: [PATCH 036/163] MokManager: remove the duplicate get_keystroke() --- MokManager.c | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/MokManager.c b/MokManager.c index 67c49ad..792df32 100644 --- a/MokManager.c +++ b/MokManager.c @@ -73,18 +73,6 @@ static EFI_STATUS get_variable (CHAR16 *name, EFI_GUID guid, UINT32 *attributes, return efi_status; } -static EFI_INPUT_KEY get_keystroke (void) -{ - EFI_INPUT_KEY key; - UINTN EventIndex; - - uefi_call_wrapper(BS->WaitForEvent, 3, 1, &ST->ConIn->WaitForKey, - &EventIndex); - uefi_call_wrapper(ST->ConIn->ReadKeyStroke, 2, ST->ConIn, &key); - - return key; -} - static EFI_STATUS get_sha1sum (void *Data, int DataSize, UINT8 *hash) { EFI_STATUS status; @@ -553,7 +541,7 @@ static UINT8 get_line (UINT32 *length, CHAR16 *line, UINT32 line_max, UINT8 show int count = 0; do { - key = get_keystroke(); + key = console_get_keystroke(); if ((count >= line_max && key.UnicodeChar != CHAR_BACKSPACE) || From 5326c090bee8ff98c86354796d7fec56e4b6d129 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 26 Sep 2013 11:58:02 -0400 Subject: [PATCH 037/163] MokManager: enhance the password prompt --- MokManager.c | 106 +++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 81 insertions(+), 25 deletions(-) diff --git a/MokManager.c b/MokManager.c index 792df32..16cdfe8 100644 --- a/MokManager.c +++ b/MokManager.c @@ -621,6 +621,61 @@ done: return status; } +static void console_save_and_set_mode (SIMPLE_TEXT_OUTPUT_MODE *SavedMode) +{ + if (!SavedMode) { + Print(L"Invalid parameter: SavedMode\n"); + return; + } + + CopyMem(SavedMode, ST->ConOut->Mode, sizeof(SIMPLE_TEXT_OUTPUT_MODE)); + uefi_call_wrapper(ST->ConOut->EnableCursor, 2, ST->ConOut, FALSE); + uefi_call_wrapper(ST->ConOut->SetAttribute, 2, ST->ConOut, + EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE); +} + +static void console_restore_mode (SIMPLE_TEXT_OUTPUT_MODE *SavedMode) +{ + uefi_call_wrapper(ST->ConOut->EnableCursor, 2, ST->ConOut, + SavedMode->CursorVisible); + uefi_call_wrapper(ST->ConOut->SetCursorPosition, 3, ST->ConOut, + SavedMode->CursorColumn, SavedMode->CursorRow); + uefi_call_wrapper(ST->ConOut->SetAttribute, 2, ST->ConOut, + SavedMode->Attribute); +} + +static UINT32 get_password (CHAR16 *prompt, CHAR16 *password, UINT32 max) +{ + SIMPLE_TEXT_OUTPUT_MODE SavedMode; + CHAR16 *str; + CHAR16 *message[2]; + UINTN length; + UINT32 pw_length; + + if (!prompt) + prompt = L"Password:"; + + console_save_and_set_mode(&SavedMode); + + str = PoolPrint(L"%s ", prompt); + if (!str) { + console_errorbox(L"Failed to allocate prompt"); + return 0; + } + + message[0] = str; + message[1] = NULL; + length = StrLen(message[0]); + console_print_box_at(message, -1, -length-4, -5, length+4, 3, 0, 1); + get_line(&pw_length, password, max, 0); + + console_restore_mode(&SavedMode); + + FreePool(str); + + return pw_length; +} + static EFI_STATUS match_password (PASSWORD_CRYPT *pw_crypt, void *Data, UINTN DataSize, UINT8 *auth, CHAR16 *prompt) @@ -647,15 +702,10 @@ static EFI_STATUS match_password (PASSWORD_CRYPT *pw_crypt, } while (fail_count < 3) { - if (prompt) { - Print(L"%s", prompt); - } else { - Print(L"Password: "); - } - get_line(&pw_length, password, PASSWORD_MAX, 0); + pw_length = get_password(prompt, password, PASSWORD_MAX); if (pw_length < PASSWORD_MIN || pw_length > PASSWORD_MAX) { - Print(L"Invalid password length\n"); + console_errorbox(L"Invalid password length"); fail_count++; continue; } @@ -678,13 +728,13 @@ static EFI_STATUS match_password (PASSWORD_CRYPT *pw_crypt, pw_length * sizeof(CHAR16), hash); } if (status != EFI_SUCCESS) { - Print(L"Unable to generate password hash\n"); + console_errorbox(L"Unable to generate password hash"); fail_count++; continue; } if (CompareMem(auth_hash, hash, auth_size) != 0) { - Print(L"Password doesn't match\n"); + console_errorbox(L"Password doesn't match"); fail_count++; continue; } @@ -1322,13 +1372,17 @@ static void mok_key_enroll(void) FreePool(data); } -static BOOLEAN verify_pw(void) +static BOOLEAN verify_pw(BOOLEAN *protected) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; + SIMPLE_TEXT_OUTPUT_MODE SavedMode; UINT8 pwhash[PASSWORD_CRYPT_SIZE]; UINTN size = PASSWORD_CRYPT_SIZE; UINT32 attributes; + CHAR16 *message[2]; + + *protected = FALSE; efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokPWStore", &shim_lock_guid, &attributes, &size, @@ -1348,18 +1402,28 @@ static BOOLEAN verify_pw(void) uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); + /* Draw the background */ + console_save_and_set_mode(&SavedMode); + message[0] = PoolPrint (L"%s UEFI key management", SHIM_VENDOR); + message[1] = NULL; + console_print_box_at(message, -1, 0, 0, -1, -1, 1, 1); + FreePool(message[0]); + console_restore_mode(&SavedMode); + if (size == PASSWORD_CRYPT_SIZE) { efi_status = match_password((PASSWORD_CRYPT *)pwhash, NULL, 0, - NULL, L"Enter MOK password: "); + NULL, L"Enter MOK password:"); } else { efi_status = match_password(NULL, NULL, 0, pwhash, - L"Enter MOK password: "); + L"Enter MOK password:"); } if (efi_status != EFI_SUCCESS) { console_notify(L"Password limit reached"); return FALSE; } + *protected = TRUE; + return TRUE; } @@ -1373,10 +1437,7 @@ static int draw_countdown() CHAR16 *message = L"Press any key to perform MOK management"; int timeout = 10, wait = 10000000; - CopyMem(&SavedMode, ST->ConOut->Mode, sizeof(SavedMode)); - uefi_call_wrapper(ST->ConOut->EnableCursor, 2, ST->ConOut, FALSE); - uefi_call_wrapper(ST->ConOut->SetAttribute, 2, ST->ConOut, - EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE); + console_save_and_set_mode (&SavedMode); title[0] = PoolPrint (L"%s UEFI key management", SHIM_VENDOR); title[1] = NULL; @@ -1409,13 +1470,7 @@ static int draw_countdown() FreePool(title[0]); - /* Restore everything */ - uefi_call_wrapper(ST->ConOut->EnableCursor, 2, ST->ConOut, - SavedMode.CursorVisible); - uefi_call_wrapper(ST->ConOut->SetCursorPosition, 3, ST->ConOut, - SavedMode.CursorColumn, SavedMode.CursorRow); - uefi_call_wrapper(ST->ConOut->SetAttribute, 2, ST->ConOut, - SavedMode.Attribute); + console_restore_mode(&SavedMode); return timeout; } @@ -1448,9 +1503,10 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, UINT8 auth[PASSWORD_CRYPT_SIZE]; UINTN auth_size = PASSWORD_CRYPT_SIZE; UINT32 attributes; + BOOLEAN protected; EFI_STATUS ret = EFI_SUCCESS; - if (verify_pw() == FALSE) + if (verify_pw(&protected) == FALSE) return EFI_ACCESS_DENIED; efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokAuth", @@ -1537,7 +1593,7 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, menu_strings[i] = NULL; - if (draw_countdown() == 0) + if (protected == FALSE && draw_countdown() == 0) goto out; while (choice >= 0) { From 3c5b49ec5a76407c20a5a86950ab3105d51d5707 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 26 Sep 2013 11:58:02 -0400 Subject: [PATCH 038/163] Enable openssl bio_printf() bio_printf() was replaced with a dummy function and this made several openssl functions useless. This commit adds the print functions back, so that we don't have to implement our own ASN1 time print function. --- Cryptlib/OpenSSL/Makefile | 1 + Cryptlib/OpenSSL/crypto/bio/b_print.c | 842 ++++++++++++++++++++++++++ Cryptlib/SysCall/CrtWrapper.c | 10 - 3 files changed, 843 insertions(+), 10 deletions(-) create mode 100644 Cryptlib/OpenSSL/crypto/bio/b_print.c diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile index f8ab841..c93d5af 100644 --- a/Cryptlib/OpenSSL/Makefile +++ b/Cryptlib/OpenSSL/Makefile @@ -215,6 +215,7 @@ OBJS = crypto/cryptlib.o \ crypto/bio/bf_null.o \ crypto/bio/bf_buff.o \ crypto/bio/b_dump.o \ + crypto/bio/b_print.o \ crypto/bio/bf_nbio.o \ crypto/bio/bss_log.o \ crypto/bio/bss_bio.o \ diff --git a/Cryptlib/OpenSSL/crypto/bio/b_print.c b/Cryptlib/OpenSSL/crypto/bio/b_print.c new file mode 100644 index 0000000..3a87b0e --- /dev/null +++ b/Cryptlib/OpenSSL/crypto/bio/b_print.c @@ -0,0 +1,842 @@ +/* crypto/bio/b_print.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + +/* disable assert() unless BIO_DEBUG has been defined */ +#ifndef BIO_DEBUG +# ifndef NDEBUG +# define NDEBUG +# endif +#endif + +/* + * Stolen from tjh's ssl/ssl_trc.c stuff. + */ + +#include +#include +#include +#include +#include +#include "cryptlib.h" +#ifndef NO_SYS_TYPES_H +#include +#endif +#include /* To get BN_LLONG properly defined */ +#include + +#if defined(BN_LLONG) || defined(SIXTY_FOUR_BIT) +# ifndef HAVE_LONG_LONG +# define HAVE_LONG_LONG 1 +# endif +#endif + +/***************************************************************************/ + +/* + * Copyright Patrick Powell 1995 + * This code is based on code written by Patrick Powell + * It may be used for any purpose as long as this notice remains intact + * on all source code distributions. + */ + +/* + * This code contains numerious changes and enhancements which were + * made by lots of contributors over the last years to Patrick Powell's + * original code: + * + * o Patrick Powell (1995) + * o Brandon Long (1996, for Mutt) + * o Thomas Roessler (1998, for Mutt) + * o Michael Elkins (1998, for Mutt) + * o Andrew Tridgell (1998, for Samba) + * o Luke Mewburn (1999, for LukemFTP) + * o Ralf S. Engelschall (1999, for Pth) + * o ... (for OpenSSL) + */ + +#ifdef HAVE_LONG_DOUBLE +#define LDOUBLE long double +#else +#define LDOUBLE double +#endif + +#if HAVE_LONG_LONG +# if defined(OPENSSL_SYS_WIN32) && !defined(__GNUC__) +# define LLONG __int64 +# else +# define LLONG long long +# endif +#else +#define LLONG long +#endif + +static void fmtstr (char **, char **, size_t *, size_t *, + const char *, int, int, int); +static void fmtint (char **, char **, size_t *, size_t *, + LLONG, int, int, int, int); +static void fmtfp (char **, char **, size_t *, size_t *, + LDOUBLE, int, int, int); +static void doapr_outch (char **, char **, size_t *, size_t *, int); +static void _dopr(char **sbuffer, char **buffer, + size_t *maxlen, size_t *retlen, int *truncated, + const char *format, va_list args); + +/* format read states */ +#define DP_S_DEFAULT 0 +#define DP_S_FLAGS 1 +#define DP_S_MIN 2 +#define DP_S_DOT 3 +#define DP_S_MAX 4 +#define DP_S_MOD 5 +#define DP_S_CONV 6 +#define DP_S_DONE 7 + +/* format flags - Bits */ +#define DP_F_MINUS (1 << 0) +#define DP_F_PLUS (1 << 1) +#define DP_F_SPACE (1 << 2) +#define DP_F_NUM (1 << 3) +#define DP_F_ZERO (1 << 4) +#define DP_F_UP (1 << 5) +#define DP_F_UNSIGNED (1 << 6) + +/* conversion flags */ +#define DP_C_SHORT 1 +#define DP_C_LONG 2 +#define DP_C_LDOUBLE 3 +#define DP_C_LLONG 4 + +/* some handy macros */ +#define char_to_int(p) (p - '0') +#define OSSL_MAX(p,q) ((p >= q) ? p : q) + +static void +_dopr( + char **sbuffer, + char **buffer, + size_t *maxlen, + size_t *retlen, + int *truncated, + const char *format, + va_list args) +{ + char ch; + LLONG value; + LDOUBLE fvalue; + char *strvalue; + int min; + int max; + int state; + int flags; + int cflags; + size_t currlen; + + state = DP_S_DEFAULT; + flags = currlen = cflags = min = 0; + max = -1; + ch = *format++; + + while (state != DP_S_DONE) { + if (ch == '\0' || (buffer == NULL && currlen >= *maxlen)) + state = DP_S_DONE; + + switch (state) { + case DP_S_DEFAULT: + if (ch == '%') + state = DP_S_FLAGS; + else + doapr_outch(sbuffer,buffer, &currlen, maxlen, ch); + ch = *format++; + break; + case DP_S_FLAGS: + switch (ch) { + case '-': + flags |= DP_F_MINUS; + ch = *format++; + break; + case '+': + flags |= DP_F_PLUS; + ch = *format++; + break; + case ' ': + flags |= DP_F_SPACE; + ch = *format++; + break; + case '#': + flags |= DP_F_NUM; + ch = *format++; + break; + case '0': + flags |= DP_F_ZERO; + ch = *format++; + break; + default: + state = DP_S_MIN; + break; + } + break; + case DP_S_MIN: + if (isdigit((unsigned char)ch)) { + min = 10 * min + char_to_int(ch); + ch = *format++; + } else if (ch == '*') { + min = va_arg(args, int); + ch = *format++; + state = DP_S_DOT; + } else + state = DP_S_DOT; + break; + case DP_S_DOT: + if (ch == '.') { + state = DP_S_MAX; + ch = *format++; + } else + state = DP_S_MOD; + break; + case DP_S_MAX: + if (isdigit((unsigned char)ch)) { + if (max < 0) + max = 0; + max = 10 * max + char_to_int(ch); + ch = *format++; + } else if (ch == '*') { + max = va_arg(args, int); + ch = *format++; + state = DP_S_MOD; + } else + state = DP_S_MOD; + break; + case DP_S_MOD: + switch (ch) { + case 'h': + cflags = DP_C_SHORT; + ch = *format++; + break; + case 'l': + if (*format == 'l') { + cflags = DP_C_LLONG; + format++; + } else + cflags = DP_C_LONG; + ch = *format++; + break; + case 'q': + cflags = DP_C_LLONG; + ch = *format++; + break; + case 'L': + cflags = DP_C_LDOUBLE; + ch = *format++; + break; + default: + break; + } + state = DP_S_CONV; + break; + case DP_S_CONV: + switch (ch) { + case 'd': + case 'i': + switch (cflags) { + case DP_C_SHORT: + value = (short int)va_arg(args, int); + break; + case DP_C_LONG: + value = va_arg(args, long int); + break; + case DP_C_LLONG: + value = va_arg(args, LLONG); + break; + default: + value = va_arg(args, int); + break; + } + fmtint(sbuffer, buffer, &currlen, maxlen, + value, 10, min, max, flags); + break; + case 'X': + flags |= DP_F_UP; + /* FALLTHROUGH */ + case 'x': + case 'o': + case 'u': + flags |= DP_F_UNSIGNED; + switch (cflags) { + case DP_C_SHORT: + value = (unsigned short int)va_arg(args, unsigned int); + break; + case DP_C_LONG: + value = (LLONG) va_arg(args, + unsigned long int); + break; + case DP_C_LLONG: + value = va_arg(args, unsigned LLONG); + break; + default: + value = (LLONG) va_arg(args, + unsigned int); + break; + } + fmtint(sbuffer, buffer, &currlen, maxlen, value, + ch == 'o' ? 8 : (ch == 'u' ? 10 : 16), + min, max, flags); + break; + case 'f': + if (cflags == DP_C_LDOUBLE) + fvalue = va_arg(args, LDOUBLE); + else + fvalue = va_arg(args, double); + fmtfp(sbuffer, buffer, &currlen, maxlen, + fvalue, min, max, flags); + break; + case 'E': + flags |= DP_F_UP; + case 'e': + if (cflags == DP_C_LDOUBLE) + fvalue = va_arg(args, LDOUBLE); + else + fvalue = va_arg(args, double); + break; + case 'G': + flags |= DP_F_UP; + case 'g': + if (cflags == DP_C_LDOUBLE) + fvalue = va_arg(args, LDOUBLE); + else + fvalue = va_arg(args, double); + break; + case 'c': + doapr_outch(sbuffer, buffer, &currlen, maxlen, + va_arg(args, int)); + break; + case 's': + strvalue = va_arg(args, char *); + if (max < 0) { + if (buffer) + max = INT_MAX; + else + max = *maxlen; + } + fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue, + flags, min, max); + break; + case 'p': + value = (long)va_arg(args, void *); + fmtint(sbuffer, buffer, &currlen, maxlen, + value, 16, min, max, flags|DP_F_NUM); + break; + case 'n': /* XXX */ + if (cflags == DP_C_SHORT) { + short int *num; + num = va_arg(args, short int *); + *num = currlen; + } else if (cflags == DP_C_LONG) { /* XXX */ + long int *num; + num = va_arg(args, long int *); + *num = (long int) currlen; + } else if (cflags == DP_C_LLONG) { /* XXX */ + LLONG *num; + num = va_arg(args, LLONG *); + *num = (LLONG) currlen; + } else { + int *num; + num = va_arg(args, int *); + *num = currlen; + } + break; + case '%': + doapr_outch(sbuffer, buffer, &currlen, maxlen, ch); + break; + case 'w': + /* not supported yet, treat as next char */ + ch = *format++; + break; + default: + /* unknown, skip */ + break; + } + ch = *format++; + state = DP_S_DEFAULT; + flags = cflags = min = 0; + max = -1; + break; + case DP_S_DONE: + break; + default: + break; + } + } + *truncated = (currlen > *maxlen - 1); + if (*truncated) + currlen = *maxlen - 1; + doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0'); + *retlen = currlen - 1; + return; +} + +static void +fmtstr( + char **sbuffer, + char **buffer, + size_t *currlen, + size_t *maxlen, + const char *value, + int flags, + int min, + int max) +{ + int padlen, strln; + int cnt = 0; + + if (value == 0) + value = ""; + for (strln = 0; value[strln]; ++strln) + ; + padlen = min - strln; + if (padlen < 0) + padlen = 0; + if (flags & DP_F_MINUS) + padlen = -padlen; + + while ((padlen > 0) && (cnt < max)) { + doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); + --padlen; + ++cnt; + } + while (*value && (cnt < max)) { + doapr_outch(sbuffer, buffer, currlen, maxlen, *value++); + ++cnt; + } + while ((padlen < 0) && (cnt < max)) { + doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); + ++padlen; + ++cnt; + } +} + +static void +fmtint( + char **sbuffer, + char **buffer, + size_t *currlen, + size_t *maxlen, + LLONG value, + int base, + int min, + int max, + int flags) +{ + int signvalue = 0; + const char *prefix = ""; + unsigned LLONG uvalue; + char convert[DECIMAL_SIZE(value)+3]; + int place = 0; + int spadlen = 0; + int zpadlen = 0; + int caps = 0; + + if (max < 0) + max = 0; + uvalue = value; + if (!(flags & DP_F_UNSIGNED)) { + if (value < 0) { + signvalue = '-'; + uvalue = -value; + } else if (flags & DP_F_PLUS) + signvalue = '+'; + else if (flags & DP_F_SPACE) + signvalue = ' '; + } + if (flags & DP_F_NUM) { + if (base == 8) prefix = "0"; + if (base == 16) prefix = "0x"; + } + if (flags & DP_F_UP) + caps = 1; + do { + convert[place++] = + (caps ? "0123456789ABCDEF" : "0123456789abcdef") + [uvalue % (unsigned) base]; + uvalue = (uvalue / (unsigned) base); + } while (uvalue && (place < (int)sizeof(convert))); + if (place == sizeof(convert)) + place--; + convert[place] = 0; + + zpadlen = max - place; + spadlen = min - OSSL_MAX(max, place) - (signvalue ? 1 : 0) - strlen(prefix); + if (zpadlen < 0) + zpadlen = 0; + if (spadlen < 0) + spadlen = 0; + if (flags & DP_F_ZERO) { + zpadlen = OSSL_MAX(zpadlen, spadlen); + spadlen = 0; + } + if (flags & DP_F_MINUS) + spadlen = -spadlen; + + /* spaces */ + while (spadlen > 0) { + doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); + --spadlen; + } + + /* sign */ + if (signvalue) + doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue); + + /* prefix */ + while (*prefix) { + doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix); + prefix++; + } + + /* zeros */ + if (zpadlen > 0) { + while (zpadlen > 0) { + doapr_outch(sbuffer, buffer, currlen, maxlen, '0'); + --zpadlen; + } + } + /* digits */ + while (place > 0) + doapr_outch(sbuffer, buffer, currlen, maxlen, convert[--place]); + + /* left justified spaces */ + while (spadlen < 0) { + doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); + ++spadlen; + } + return; +} + +static LDOUBLE +abs_val(LDOUBLE value) +{ + LDOUBLE result = value; + if (value < 0) + result = -value; + return result; +} + +static LDOUBLE +pow_10(int in_exp) +{ + LDOUBLE result = 1; + while (in_exp) { + result *= 10; + in_exp--; + } + return result; +} + +static long +roundv(LDOUBLE value) +{ + long intpart; + intpart = (long) value; + value = value - intpart; + if (value >= 0.5) + intpart++; + return intpart; +} + +static void +fmtfp( + char **sbuffer, + char **buffer, + size_t *currlen, + size_t *maxlen, + LDOUBLE fvalue, + int min, + int max, + int flags) +{ + int signvalue = 0; + LDOUBLE ufvalue; + char iconvert[20]; + char fconvert[20]; + int iplace = 0; + int fplace = 0; + int padlen = 0; + int zpadlen = 0; + int caps = 0; + long intpart; + long fracpart; + long max10; + + if (max < 0) + max = 6; + ufvalue = abs_val(fvalue); + if (fvalue < 0) + signvalue = '-'; + else if (flags & DP_F_PLUS) + signvalue = '+'; + else if (flags & DP_F_SPACE) + signvalue = ' '; + + intpart = (long)ufvalue; + + /* sorry, we only support 9 digits past the decimal because of our + conversion method */ + if (max > 9) + max = 9; + + /* we "cheat" by converting the fractional part to integer by + multiplying by a factor of 10 */ + max10 = roundv(pow_10(max)); + fracpart = roundv(pow_10(max) * (ufvalue - intpart)); + + if (fracpart >= max10) { + intpart++; + fracpart -= max10; + } + + /* convert integer part */ + do { + iconvert[iplace++] = + (caps ? "0123456789ABCDEF" + : "0123456789abcdef")[intpart % 10]; + intpart = (intpart / 10); + } while (intpart && (iplace < (int)sizeof(iconvert))); + if (iplace == sizeof iconvert) + iplace--; + iconvert[iplace] = 0; + + /* convert fractional part */ + do { + fconvert[fplace++] = + (caps ? "0123456789ABCDEF" + : "0123456789abcdef")[fracpart % 10]; + fracpart = (fracpart / 10); + } while (fplace < max); + if (fplace == sizeof fconvert) + fplace--; + fconvert[fplace] = 0; + + /* -1 for decimal point, another -1 if we are printing a sign */ + padlen = min - iplace - max - 1 - ((signvalue) ? 1 : 0); + zpadlen = max - fplace; + if (zpadlen < 0) + zpadlen = 0; + if (padlen < 0) + padlen = 0; + if (flags & DP_F_MINUS) + padlen = -padlen; + + if ((flags & DP_F_ZERO) && (padlen > 0)) { + if (signvalue) { + doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue); + --padlen; + signvalue = 0; + } + while (padlen > 0) { + doapr_outch(sbuffer, buffer, currlen, maxlen, '0'); + --padlen; + } + } + while (padlen > 0) { + doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); + --padlen; + } + if (signvalue) + doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue); + + while (iplace > 0) + doapr_outch(sbuffer, buffer, currlen, maxlen, iconvert[--iplace]); + + /* + * Decimal point. This should probably use locale to find the correct + * char to print out. + */ + if (max > 0 || (flags & DP_F_NUM)) { + doapr_outch(sbuffer, buffer, currlen, maxlen, '.'); + + while (fplace > 0) + doapr_outch(sbuffer, buffer, currlen, maxlen, fconvert[--fplace]); + } + while (zpadlen > 0) { + doapr_outch(sbuffer, buffer, currlen, maxlen, '0'); + --zpadlen; + } + + while (padlen < 0) { + doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); + ++padlen; + } +} + +static void +doapr_outch( + char **sbuffer, + char **buffer, + size_t *currlen, + size_t *maxlen, + int c) +{ + /* If we haven't at least one buffer, someone has doe a big booboo */ + assert(*sbuffer != NULL || buffer != NULL); + + if (buffer) { + while (*currlen >= *maxlen) { + if (*buffer == NULL) { + if (*maxlen == 0) + *maxlen = 1024; + *buffer = OPENSSL_malloc(*maxlen); + if (*currlen > 0) { + assert(*sbuffer != NULL); + memcpy(*buffer, *sbuffer, *currlen); + } + *sbuffer = NULL; + } else { + *maxlen += 1024; + *buffer = OPENSSL_realloc(*buffer, *maxlen); + } + } + /* What to do if *buffer is NULL? */ + assert(*sbuffer != NULL || *buffer != NULL); + } + + if (*currlen < *maxlen) { + if (*sbuffer) + (*sbuffer)[(*currlen)++] = (char)c; + else + (*buffer)[(*currlen)++] = (char)c; + } + + return; +} + +/***************************************************************************/ + +int BIO_printf (BIO *bio, const char *format, ...) + { + va_list args; + int ret; + + va_start(args, format); + + ret = BIO_vprintf(bio, format, args); + + va_end(args); + return(ret); + } + +int BIO_vprintf (BIO *bio, const char *format, va_list args) + { + int ret; + size_t retlen; + char hugebuf[1024*2]; /* Was previously 10k, which is unreasonable + in small-stack environments, like threads + or DOS programs. */ + char *hugebufp = hugebuf; + size_t hugebufsize = sizeof(hugebuf); + char *dynbuf = NULL; + int ignored; + + dynbuf = NULL; + CRYPTO_push_info("doapr()"); + _dopr(&hugebufp, &dynbuf, &hugebufsize, + &retlen, &ignored, format, args); + if (dynbuf) + { + ret=BIO_write(bio, dynbuf, (int)retlen); + OPENSSL_free(dynbuf); + } + else + { + ret=BIO_write(bio, hugebuf, (int)retlen); + } + CRYPTO_pop_info(); + return(ret); + } + +/* As snprintf is not available everywhere, we provide our own implementation. + * This function has nothing to do with BIOs, but it's closely related + * to BIO_printf, and we need *some* name prefix ... + * (XXX the function should be renamed, but to what?) */ +int BIO_snprintf(char *buf, size_t n, const char *format, ...) + { + va_list args; + int ret; + + va_start(args, format); + + ret = BIO_vsnprintf(buf, n, format, args); + + va_end(args); + return(ret); + } + +int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args) + { + size_t retlen; + int truncated; + + _dopr(&buf, NULL, &n, &retlen, &truncated, format, args); + + if (truncated) + /* In case of truncation, return -1 like traditional snprintf. + * (Current drafts for ISO/IEC 9899 say snprintf should return + * the number of characters that would have been written, + * had the buffer been large enough.) */ + return -1; + else + return (retlen <= INT_MAX) ? (int)retlen : -1; + } diff --git a/Cryptlib/SysCall/CrtWrapper.c b/Cryptlib/SysCall/CrtWrapper.c index fb446b6..5a8322d 100644 --- a/Cryptlib/SysCall/CrtWrapper.c +++ b/Cryptlib/SysCall/CrtWrapper.c @@ -293,16 +293,6 @@ size_t fwrite (const void *buffer, size_t size, size_t count, FILE *stream) // -- Dummy OpenSSL Support Routines -- // -int BIO_printf (void *bio, const char *format, ...) -{ - return 0; -} - -int BIO_snprintf(char *buf, size_t n, const char *format, ...) -{ - return 0; -} - void *UI_OpenSSL(void) { return NULL; From c34ed0ae2f4cc09b98b111b233ed644ec6deeefd Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 26 Sep 2013 11:58:02 -0400 Subject: [PATCH 039/163] Disable floating points in b_print The long double declaration will enable SSE and cause a compilation error. Disabling everything related to floating points avoids the error. --- Cryptlib/OpenSSL/crypto/bio/b_print.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Cryptlib/OpenSSL/crypto/bio/b_print.c b/Cryptlib/OpenSSL/crypto/bio/b_print.c index 3a87b0e..b8b630c 100644 --- a/Cryptlib/OpenSSL/crypto/bio/b_print.c +++ b/Cryptlib/OpenSSL/crypto/bio/b_print.c @@ -129,8 +129,10 @@ static void fmtstr (char **, char **, size_t *, size_t *, const char *, int, int, int); static void fmtint (char **, char **, size_t *, size_t *, LLONG, int, int, int, int); +#ifndef OPENSSL_SYS_UEFI static void fmtfp (char **, char **, size_t *, size_t *, LDOUBLE, int, int, int); +#endif static void doapr_outch (char **, char **, size_t *, size_t *, int); static void _dopr(char **sbuffer, char **buffer, size_t *maxlen, size_t *retlen, int *truncated, @@ -177,7 +179,9 @@ _dopr( { char ch; LLONG value; +#ifndef OPENSSL_SYS_UEFI LDOUBLE fvalue; +#endif char *strvalue; int min; int max; @@ -336,6 +340,7 @@ _dopr( ch == 'o' ? 8 : (ch == 'u' ? 10 : 16), min, max, flags); break; +#ifndef OPENSSL_SYS_UEFI case 'f': if (cflags == DP_C_LDOUBLE) fvalue = va_arg(args, LDOUBLE); @@ -360,6 +365,7 @@ _dopr( else fvalue = va_arg(args, double); break; +#endif case 'c': doapr_outch(sbuffer, buffer, &currlen, maxlen, va_arg(args, int)); @@ -566,6 +572,7 @@ fmtint( return; } +#ifndef OPENSSL_SYS_UEFI static LDOUBLE abs_val(LDOUBLE value) { @@ -721,6 +728,7 @@ fmtfp( ++padlen; } } +#endif static void doapr_outch( From 7ed6b96365c69750facf69803a7c81a34210965d Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 26 Sep 2013 11:58:02 -0400 Subject: [PATCH 040/163] MokManager: rearrange the output of MOK info --- MokManager.c | 237 +++++++++++++++++---------------------------------- 1 file changed, 80 insertions(+), 157 deletions(-) diff --git a/MokManager.c b/MokManager.c index 16cdfe8..8ce5f94 100644 --- a/MokManager.c +++ b/MokManager.c @@ -195,136 +195,30 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) { return list; } -static CHAR16* get_x509_name (X509_NAME *X509Name, CHAR16 *name) +static CHAR16* get_x509_common_name (X509_NAME *X509Name) { - char *str; - CHAR16 *ret = NULL; + char str[80]; - str = X509_NAME_oneline(X509Name, NULL, 0); - if (str) { - ret = PoolPrint(L"%s: %a", name, str); - OPENSSL_free(str); - } - return ret; + ZeroMem(str, 80); + X509_NAME_get_text_by_NID (X509Name, NID_commonName, str, 80); + + return PoolPrint(L"%a", str); } -static const char *mon[12]= { -"Jan","Feb","Mar","Apr","May","Jun", -"Jul","Aug","Sep","Oct","Nov","Dec" -}; - -static void print_x509_GENERALIZEDTIME_time (ASN1_TIME *time, CHAR16 *time_string) +static CHAR16* get_x509_time (ASN1_TIME *time) { - char *v; - int gmt = 0; - int i; - int y = 0,M = 0,d = 0,h = 0,m = 0,s = 0; - char *f = NULL; - int f_len = 0; + BIO *bio = BIO_new (BIO_s_mem()); + char str[30]; + int len; - i=time->length; - v=(char *)time->data; + ASN1_TIME_print (bio, time); + len = BIO_read(bio, str, 29); + if (len < 0) + len = 0; + str[len] = '\0'; + BIO_free (bio); - if (i < 12) - goto error; - - if (v[i-1] == 'Z') - gmt=1; - - for (i=0; i<12; i++) { - if ((v[i] > '9') || (v[i] < '0')) - goto error; - } - - y = (v[0]-'0')*1000+(v[1]-'0')*100 + (v[2]-'0')*10+(v[3]-'0'); - M = (v[4]-'0')*10+(v[5]-'0'); - - if ((M > 12) || (M < 1)) - goto error; - - d = (v[6]-'0')*10+(v[7]-'0'); - h = (v[8]-'0')*10+(v[9]-'0'); - m = (v[10]-'0')*10+(v[11]-'0'); - - if (time->length >= 14 && - (v[12] >= '0') && (v[12] <= '9') && - (v[13] >= '0') && (v[13] <= '9')) { - s = (v[12]-'0')*10+(v[13]-'0'); - /* Check for fractions of seconds. */ - if (time->length >= 15 && v[14] == '.') { - int l = time->length; - f = &v[14]; /* The decimal point. */ - f_len = 1; - while (14 + f_len < l && f[f_len] >= '0' && - f[f_len] <= '9') - ++f_len; - } - } - - SPrint(time_string, 0, L"%a %2d %02d:%02d:%02d%.*a %d%a", - mon[M-1], d, h, m, s, f_len, f, y, (gmt)?" GMT":""); -error: - return; -} - -static void print_x509_UTCTIME_time (ASN1_TIME *time, CHAR16 *time_string) -{ - char *v; - int gmt=0; - int i; - int y = 0,M = 0,d = 0,h = 0,m = 0,s = 0; - - i=time->length; - v=(char *)time->data; - - if (i < 10) - goto error; - - if (v[i-1] == 'Z') - gmt=1; - - for (i=0; i<10; i++) - if ((v[i] > '9') || (v[i] < '0')) - goto error; - - y = (v[0]-'0')*10+(v[1]-'0'); - - if (y < 50) - y+=100; - - M = (v[2]-'0')*10+(v[3]-'0'); - - if ((M > 12) || (M < 1)) - goto error; - - d = (v[4]-'0')*10+(v[5]-'0'); - h = (v[6]-'0')*10+(v[7]-'0'); - m = (v[8]-'0')*10+(v[9]-'0'); - - if (time->length >=12 && - (v[10] >= '0') && (v[10] <= '9') && - (v[11] >= '0') && (v[11] <= '9')) - s = (v[10]-'0')*10+(v[11]-'0'); - - SPrint(time_string, 0, L"%a %2d %02d:%02d:%02d %d%a", - mon[M-1], d, h, m, s, y+1900, (gmt)?" GMT":""); -error: - return; -} - -static CHAR16* get_x509_time (ASN1_TIME *time, CHAR16 *name) -{ - CHAR16 time_string[30]; - - if (time->type == V_ASN1_UTCTIME) { - print_x509_UTCTIME_time(time, time_string); - } else if (time->type == V_ASN1_GENERALIZEDTIME) { - print_x509_GENERALIZEDTIME_time(time, time_string); - } else { - time_string[0] = '\0'; - } - - return PoolPrint(L"%s: %s", name, time_string); + return PoolPrint(L"%a", str); } static void show_x509_info (X509 *X509Cert, UINT8 *hash) @@ -354,7 +248,6 @@ static void show_x509_info (X509 *X509Cert, UINT8 *hash) int i, n; bnser = ASN1_INTEGER_to_BN(serial, NULL); n = BN_bn2bin(bnser, hexbuf); - CatPrint(&serial_string, L"Serial Number:"); for (i = 0; i < n; i++) { CatPrint(&serial_string, L"%02x:", hexbuf[i]); } @@ -365,34 +258,32 @@ static void show_x509_info (X509 *X509Cert, UINT8 *hash) X509Name = X509_get_issuer_name(X509Cert); if (X509Name) { - issuer = get_x509_name(X509Name, L"Issuer"); + issuer = get_x509_common_name(X509Name); if (issuer) fields++; } X509Name = X509_get_subject_name(X509Cert); if (X509Name) { - subject = get_x509_name(X509Name, L"Subject"); + subject = get_x509_common_name(X509Name); if (subject) fields++; } time = X509_get_notBefore(X509Cert); if (time) { - from = get_x509_time(time, L"Validity from"); - if (time) + from = get_x509_time(time); + if (from) fields++; } time = X509_get_notAfter(X509Cert); if (time) { - until = get_x509_time(time, L"Validity till"); + until = get_x509_time(time); if (until) fields++; } -#if 0 - CatPrint(&hash_string1, L"SHA1 Fingerprint: "); for (i=0; i<10; i++) CatPrint(&hash_string1, L"%02x ", hash[i]); for (i=10; i<20; i++) @@ -403,42 +294,48 @@ static void show_x509_info (X509 *X509Cert, UINT8 *hash) if (hash_string2.str) fields++; -#endif + if (!fields) return; - text = AllocateZeroPool(sizeof(CHAR16 *) * (fields + 1)); + i = 0; + text = AllocateZeroPool(sizeof(CHAR16 *) * (fields*3 + 1)); if (serial_string.str) { - text[i] = serial_string.str; - i++; + text[i++] = StrDuplicate(L"[Serial Number]"); + text[i++] = serial_string.str; + text[i++] = StrDuplicate(L""); } if (issuer) { - text[i] = issuer; - i++; + text[i++] = StrDuplicate(L"[Issuer]"); + text[i++] = issuer; + text[i++] = StrDuplicate(L""); } if (subject) { - text[i] = subject; - i++; + text[i++] = StrDuplicate(L"[Subject]"); + text[i++] = subject; + text[i++] = StrDuplicate(L""); } if (from) { - text[i] = from; - i++; + text[i++] = StrDuplicate(L"[Valid Not Before]"); + text[i++] = from; + text[i++] = StrDuplicate(L""); } if (until) { - text[i] = until; - i++; + text[i++] = StrDuplicate(L"[Valid Not After]"); + text[i++] = until; + text[i++] = StrDuplicate(L""); } if (hash_string1.str) { - text[i] = hash_string1.str; - i++; + text[i++] = StrDuplicate(L"[Fingerprint]"); + text[i++] = hash_string1.str; } if (hash_string2.str) { - text[i] = hash_string2.str; - i++; + text[i++] = hash_string2.str; + text[i++] = StrDuplicate(L""); } text[i] = NULL; - console_alertbox(text); + console_print_box(text, -1); for (i=0; text[i] != NULL; i++) FreePool(text[i]); @@ -446,11 +343,41 @@ static void show_x509_info (X509 *X509Cert, UINT8 *hash) FreePool(text); } +static void show_efi_hash (UINT8 *hash) +{ + CHAR16 *text[5]; + POOL_PRINT hash_string1; + POOL_PRINT hash_string2; + int i; + + ZeroMem(&hash_string1, sizeof(hash_string1)); + ZeroMem(&hash_string2, sizeof(hash_string2)); + + text[0] = L"SHA256 hash"; + text[1] = L""; + + for (i=0; i<16; i++) + CatPrint(&hash_string1, L"%02x ", hash[i]); + for (i=16; i<32; i++) + CatPrint(&hash_string2, L"%02x ", hash[i]); + + text[2] = hash_string1.str; + text[3] = hash_string2.str; + text[4] = NULL; + + console_print_box(text, -1); + + if (hash_string1.str) + FreePool(hash_string1.str); + + if (hash_string2.str) + FreePool(hash_string2.str); +} + static void show_mok_info (void *Mok, UINTN MokSize) { EFI_STATUS efi_status; UINT8 hash[SHA1_DIGEST_SIZE]; - unsigned int i; X509 *X509Cert; if (!Mok || MokSize == 0) @@ -473,13 +400,7 @@ static void show_mok_info (void *Mok, UINTN MokSize) return; } } else { - Print(L"SHA256 hash:\n "); - for (i = 0; i < SHA256_DIGEST_SIZE; i++) { - Print(L" %02x", ((UINT8 *)Mok)[i]); - if (i % 10 == 9) - Print(L"\n "); - } - Print(L"\n"); + show_efi_hash(Mok); } } @@ -521,7 +442,9 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title) key_num = console_select((CHAR16 *[]){ title, NULL }, menu_strings, 0); - if (key_num < MokNum) + if (key_num < 0) + break; + else if (key_num < MokNum) show_mok_info(keys[key_num].Mok, keys[key_num].MokSize); } From 5f7ade1950d6d5ef8bc157434ada0888e91e8c0f Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 26 Sep 2013 11:58:02 -0400 Subject: [PATCH 041/163] MokManager: enhance the password prompt for SB state --- MokManager.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 55 insertions(+), 7 deletions(-) diff --git a/MokManager.c b/MokManager.c index 8ce5f94..db3f4c0 100644 --- a/MokManager.c +++ b/MokManager.c @@ -957,13 +957,39 @@ static INTN mok_deletion_prompt (void *MokDel, UINTN MokDelSize) return -1; } +static CHAR16 get_password_charater (CHAR16 *prompt) +{ + SIMPLE_TEXT_OUTPUT_MODE SavedMode; + CHAR16 *message[2]; + CHAR16 character; + UINTN length; + UINT32 pw_length; + + if (!prompt) + prompt = L"Password charater: "; + + console_save_and_set_mode(&SavedMode); + + message[0] = prompt; + message[1] = NULL; + length = StrLen(message[0]); + console_print_box_at(message, -1, -length-4, -5, length+4, 3, 0, 1); + get_line(&pw_length, &character, 1, 0); + + console_restore_mode(&SavedMode); + + return character; +} + static INTN mok_sb_prompt (void *MokSB, UINTN MokSBSize) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; + SIMPLE_TEXT_OUTPUT_MODE SavedMode; MokSBvar *var = MokSB; + CHAR16 *message[4]; CHAR16 pass1, pass2, pass3; + CHAR16 *str; UINT8 fail_count = 0; - UINT32 length; UINT8 sbval = 1; UINT8 pos1, pos2, pos3; int ret; @@ -975,6 +1001,13 @@ static INTN mok_sb_prompt (void *MokSB, UINTN MokSBSize) { uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); + message[0] = L"Change Secure Boot state"; + message[1] = NULL; + + console_save_and_set_mode(&SavedMode); + console_print_box_at(message, -1, 0, 0, -1, -1, 1, 1); + console_restore_mode(&SavedMode); + while (fail_count < 3) { RandomBytes (&pos1, sizeof(pos1)); pos1 = (pos1 % var->PWLen); @@ -989,14 +1022,29 @@ static INTN mok_sb_prompt (void *MokSB, UINTN MokSBSize) { pos3 = (pos3 % var->PWLen) ; } while (pos3 == pos2 || pos3 == pos1); - Print(L"Enter password character %d: ", pos1 + 1); - get_line(&length, &pass1, 1, 0); + str = PoolPrint(L"Enter password character %d: ", pos1 + 1); + if (!str) { + console_errorbox(L"Failed to allocate buffer"); + return -1; + } + pass1 = get_password_charater(str); + FreePool(str); - Print(L"Enter password character %d: ", pos2 + 1); - get_line(&length, &pass2, 1, 0); + str = PoolPrint(L"Enter password character %d: ", pos2 + 1); + if (!str) { + console_errorbox(L"Failed to allocate buffer"); + return -1; + } + pass2 = get_password_charater(str); + FreePool(str); - Print(L"Enter password character %d: ", pos3 + 1); - get_line(&length, &pass3, 1, 0); + str = PoolPrint(L"Enter password character %d: ", pos3 + 1); + if (!str) { + console_errorbox(L"Failed to allocate buffer"); + return -1; + } + pass3 = get_password_charater(str); + FreePool(str); if (pass1 != var->Password[pos1] || pass2 != var->Password[pos2] || From 2648d29f006c6e27de9ba5df755be9670fcfbb3e Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 26 Sep 2013 11:58:02 -0400 Subject: [PATCH 042/163] MokManager: reboot the system after clearing MOK password --- MokManager.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/MokManager.c b/MokManager.c index db3f4c0..74167c8 100644 --- a/MokManager.c +++ b/MokManager.c @@ -1122,7 +1122,11 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) { LibDeleteVariable(L"MokPWStore", &shim_lock_guid); LibDeleteVariable(L"MokPW", &shim_lock_guid); - return 0; + console_notify(L"The system must now be rebooted"); + uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, EFI_SUCCESS, 0, + NULL); + console_notify(L"Failed to reboot"); + return -1; } if (MokPWSize == PASSWORD_CRYPT_SIZE) { From 913f33d366f843ada10b24a1caad0b505d40c6b0 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 26 Sep 2013 11:58:02 -0400 Subject: [PATCH 043/163] MokManager: fetch more info from X509 name --- MokManager.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 56 insertions(+), 7 deletions(-) diff --git a/MokManager.c b/MokManager.c index 74167c8..16729f1 100644 --- a/MokManager.c +++ b/MokManager.c @@ -15,6 +15,8 @@ #define PASSWORD_MIN 1 #define SB_PASSWORD_LEN 16 +#define NAME_LINE_MAX 70 + #ifndef SHIM_VENDOR #define SHIM_VENDOR L"Shim" #endif @@ -195,14 +197,61 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) { return list; } -static CHAR16* get_x509_common_name (X509_NAME *X509Name) +typedef struct { + int nid; + CHAR16 *name; +} NidName; + +static NidName nidname[] = { + {NID_commonName, L"CN"}, + {NID_organizationName, L"O"}, + {NID_countryName, L"C"}, + {NID_stateOrProvinceName, L"ST"}, + {NID_localityName, L"L"}, + {-1, NULL} +}; + +static CHAR16* get_x509_name (X509_NAME *X509Name) { - char str[80]; + CHAR16 name[NAME_LINE_MAX+1]; + CHAR16 part[NAME_LINE_MAX+1]; + char str[NAME_LINE_MAX]; + int i, len, rest, first; - ZeroMem(str, 80); - X509_NAME_get_text_by_NID (X509Name, NID_commonName, str, 80); + name[0] = '\0'; + rest = NAME_LINE_MAX; + first = 1; + for (i = 0; nidname[i].name != NULL; i++) { + int add; + len = X509_NAME_get_text_by_NID (X509Name, nidname[i].nid, + str, NAME_LINE_MAX); + if (len <= 0) + continue; - return PoolPrint(L"%a", str); + if (first) + add = len + (int)StrLen(nidname[i].name) + 1; + else + add = len + (int)StrLen(nidname[i].name) + 3; + + if (add > rest) + continue; + + if (first) { + SPrint(part, NAME_LINE_MAX * sizeof(CHAR16), L"%s=%a", + nidname[i].name, str); + } else { + SPrint(part, NAME_LINE_MAX * sizeof(CHAR16), L", %s=%a", + nidname[i].name, str); + } + StrCat(name, part); + rest -= add; + first = 0; + } + + if (rest >= 0 && rest < NAME_LINE_MAX) + return PoolPrint(L"%s", name); + + return NULL; } static CHAR16* get_x509_time (ASN1_TIME *time) @@ -258,14 +307,14 @@ static void show_x509_info (X509 *X509Cert, UINT8 *hash) X509Name = X509_get_issuer_name(X509Cert); if (X509Name) { - issuer = get_x509_common_name(X509Name); + issuer = get_x509_name(X509Name); if (issuer) fields++; } X509Name = X509_get_subject_name(X509Cert); if (X509Name) { - subject = get_x509_common_name(X509Name); + subject = get_x509_name(X509Name); if (subject) fields++; } From 71e70c72df612b34cf92a5bd706afd5322839e18 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 26 Sep 2013 11:58:02 -0400 Subject: [PATCH 044/163] MokManager: check the suffix of the key file --- MokManager.c | 39 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/MokManager.c b/MokManager.c index 16729f1..f6bc6c2 100644 --- a/MokManager.c +++ b/MokManager.c @@ -1214,7 +1214,7 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) { return -1; } -static UINTN verify_certificate(void *cert, UINTN size) +static BOOLEAN verify_certificate(void *cert, UINTN size) { X509 *X509Cert; if (!cert || size == 0) @@ -1356,6 +1356,34 @@ static void mok_hash_enroll(void) FreePool(data); } +static CHAR16 *der_suffix[] = { + L".cer", + L".der", + L".crt", + NULL +}; + +static BOOLEAN check_der_suffix (CHAR16 *file_name) +{ + CHAR16 suffix[5]; + int i; + + if (!file_name || StrLen(file_name) <= 4) + return FALSE; + + suffix[0] = '\0'; + StrCat(suffix, file_name + StrLen(file_name) - 4); + + StrLwr (suffix); + for (i = 0; der_suffix[i] != NULL; i++) { + if (StrCmp(suffix, der_suffix[i]) == 0) { + return TRUE; + } + } + + return FALSE; +} + static void mok_key_enroll(void) { EFI_STATUS efi_status; @@ -1377,6 +1405,15 @@ static void mok_key_enroll(void) if (!file_name) return; + if (!check_der_suffix(file_name)) { + console_alertbox((CHAR16 *[]){ + L"Unsupported Format", + L"", + L"Only DER encoded certificate (*.cer/der/crt) is supported", + NULL}); + return; + } + efi_status = simple_file_open(im, file_name, &file, EFI_FILE_MODE_READ); if (efi_status != EFI_SUCCESS) { From 744cb2109b2ddd9b9305faa321bcd10746947c44 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 26 Sep 2013 11:58:02 -0400 Subject: [PATCH 045/163] Rand: check the status of the pseudorandom number generator --- Cryptlib/Rand/CryptRand.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Cryptlib/Rand/CryptRand.c b/Cryptlib/Rand/CryptRand.c index 4b27595..a61c0c2 100644 --- a/Cryptlib/Rand/CryptRand.c +++ b/Cryptlib/Rand/CryptRand.c @@ -53,7 +53,11 @@ RandomSeed ( RAND_seed (DefaultSeed, sizeof (DefaultSeed)); } - return TRUE; + if (RAND_status () == 1) { + return TRUE; + } + + return FALSE; } /** From 87bcb40438e3575acce8f2759aadf924adbf2c48 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 26 Sep 2013 11:58:02 -0400 Subject: [PATCH 046/163] Adjust the result of gmtime() to fit the definition --- Cryptlib/SysCall/TimerWrapper.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Cryptlib/SysCall/TimerWrapper.c b/Cryptlib/SysCall/TimerWrapper.c index bb7bcba..cee72ba 100644 --- a/Cryptlib/SysCall/TimerWrapper.c +++ b/Cryptlib/SysCall/TimerWrapper.c @@ -146,14 +146,14 @@ struct tm * gmtime (const time_t *timer) GmTime->tm_yday = (int) DayNo; for (MonthNo = 12; MonthNo > 1; MonthNo--) { - if (DayNo > CumulativeDays[IsLeap(Year)][MonthNo]) { + if (DayNo >= CumulativeDays[IsLeap(Year)][MonthNo]) { DayNo = (UINT16) (DayNo - (UINT16) (CumulativeDays[IsLeap(Year)][MonthNo])); break; } } - GmTime->tm_mon = (int) MonthNo; - GmTime->tm_mday = (int) DayNo; + GmTime->tm_mon = (int) MonthNo - 1; + GmTime->tm_mday = (int) DayNo + 1; GmTime->tm_isdst = 0; GmTime->tm_gmtoff = 0; From ca2e00d0670cc08e2460d6586df669bc3396abcf Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 26 Sep 2013 11:58:02 -0400 Subject: [PATCH 047/163] Free unused memory space --- shim.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/shim.c b/shim.c index 3628543..e9e6771 100644 --- a/shim.c +++ b/shim.c @@ -643,6 +643,9 @@ static EFI_STATUS verify_mok (void) { return status; } + if (MokListData) + FreePool(MokListData); + return EFI_SUCCESS; } @@ -1421,6 +1424,8 @@ static EFI_STATUS check_mok_sb (void) } } + FreePool(MokSBState); + return status; } From 40375a8bea7e5b50bb921ce59ff5fa8b8844f450 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 26 Sep 2013 11:58:02 -0400 Subject: [PATCH 048/163] Merge two PeImage.h into one Conflicts: Makefile --- Makefile | 4 +- PeImage.h | 792 ------------------------------------------------------ 2 files changed, 2 insertions(+), 794 deletions(-) delete mode 100644 PeImage.h diff --git a/Makefile b/Makefile index 0e40022..83b3df9 100644 --- a/Makefile +++ b/Makefile @@ -5,7 +5,7 @@ SUBDIRS = Cryptlib lib LIB_PATH = /usr/lib64 EFI_INCLUDE = /usr/include/efi -EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol +EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -Iinclude EFI_PATH := /usr/lib64/gnuefi LIB_GCC = $(shell $(CC) -print-libgcc-file-name) @@ -38,7 +38,7 @@ VERSION = 0.4 TARGET = shim.efi MokManager.efi.signed fallback.efi.signed OBJS = shim.o netboot.o cert.o dbx.o KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key -SOURCES = shim.c shim.h netboot.c signature.h PeImage.h +SOURCES = shim.c shim.h netboot.c signature.h include/PeImage.h include/wincert.h MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o MOK_SOURCES = MokManager.c shim.h console_control.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h FALLBACK_OBJS = fallback.o diff --git a/PeImage.h b/PeImage.h deleted file mode 100644 index 6f8e25f..0000000 --- a/PeImage.h +++ /dev/null @@ -1,792 +0,0 @@ -/** @file - EFI image format for PE32, PE32+ and TE. Please note some data structures are - different for PE32 and PE32+. EFI_IMAGE_NT_HEADERS32 is for PE32 and - EFI_IMAGE_NT_HEADERS64 is for PE32+. - - This file is coded to the Visual Studio, Microsoft Portable Executable and - Common Object File Format Specification, Revision 8.0 - May 16, 2006. - This file also includes some definitions in PI Specification, Revision 1.0. - -Copyright (c) 2006 - 2010, Intel Corporation. All rights reserved.
-Portions copyright (c) 2008 - 2009, Apple Inc. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php. - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#ifndef __PE_IMAGE_H__ -#define __PE_IMAGE_H__ - -#define SIGNATURE_16(A, B) ((A) | (B << 8)) -#define SIGNATURE_32(A, B, C, D) (SIGNATURE_16 (A, B) | (SIGNATURE_16 (C, D) << 16)) -#define SIGNATURE_64(A, B, C, D, E, F, G, H) \ - (SIGNATURE_32 (A, B, C, D) | ((UINT64) (SIGNATURE_32 (E, F, G, H)) << 32)) - -#define ALIGN_VALUE(Value, Alignment) ((Value) + (((Alignment) - (Value)) & ((Alignment) - 1))) -#define ALIGN_POINTER(Pointer, Alignment) ((VOID *) (ALIGN_VALUE ((UINTN)(Pointer), (Alignment)))) - -// -// PE32+ Subsystem type for EFI images -// -#define EFI_IMAGE_SUBSYSTEM_EFI_APPLICATION 10 -#define EFI_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER 11 -#define EFI_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER 12 -#define EFI_IMAGE_SUBSYSTEM_SAL_RUNTIME_DRIVER 13 ///< defined PI Specification, 1.0 - - -// -// PE32+ Machine type for EFI images -// -#define IMAGE_FILE_MACHINE_I386 0x014c -#define IMAGE_FILE_MACHINE_IA64 0x0200 -#define IMAGE_FILE_MACHINE_EBC 0x0EBC -#define IMAGE_FILE_MACHINE_X64 0x8664 -#define IMAGE_FILE_MACHINE_ARMTHUMB_MIXED 0x01c2 - -// -// EXE file formats -// -#define EFI_IMAGE_DOS_SIGNATURE SIGNATURE_16('M', 'Z') -#define EFI_IMAGE_OS2_SIGNATURE SIGNATURE_16('N', 'E') -#define EFI_IMAGE_OS2_SIGNATURE_LE SIGNATURE_16('L', 'E') -#define EFI_IMAGE_NT_SIGNATURE SIGNATURE_32('P', 'E', '\0', '\0') - -/// -/// PE images can start with an optional DOS header, so if an image is run -/// under DOS it can print an error message. -/// -typedef struct { - UINT16 e_magic; ///< Magic number. - UINT16 e_cblp; ///< Bytes on last page of file. - UINT16 e_cp; ///< Pages in file. - UINT16 e_crlc; ///< Relocations. - UINT16 e_cparhdr; ///< Size of header in paragraphs. - UINT16 e_minalloc; ///< Minimum extra paragraphs needed. - UINT16 e_maxalloc; ///< Maximum extra paragraphs needed. - UINT16 e_ss; ///< Initial (relative) SS value. - UINT16 e_sp; ///< Initial SP value. - UINT16 e_csum; ///< Checksum. - UINT16 e_ip; ///< Initial IP value. - UINT16 e_cs; ///< Initial (relative) CS value. - UINT16 e_lfarlc; ///< File address of relocation table. - UINT16 e_ovno; ///< Overlay number. - UINT16 e_res[4]; ///< Reserved words. - UINT16 e_oemid; ///< OEM identifier (for e_oeminfo). - UINT16 e_oeminfo; ///< OEM information; e_oemid specific. - UINT16 e_res2[10]; ///< Reserved words. - UINT32 e_lfanew; ///< File address of new exe header. -} EFI_IMAGE_DOS_HEADER; - -/// -/// COFF File Header (Object and Image). -/// -typedef struct { - UINT16 Machine; - UINT16 NumberOfSections; - UINT32 TimeDateStamp; - UINT32 PointerToSymbolTable; - UINT32 NumberOfSymbols; - UINT16 SizeOfOptionalHeader; - UINT16 Characteristics; -} EFI_IMAGE_FILE_HEADER; - -/// -/// Size of EFI_IMAGE_FILE_HEADER. -/// -#define EFI_IMAGE_SIZEOF_FILE_HEADER 20 - -// -// Characteristics -// -#define EFI_IMAGE_FILE_RELOCS_STRIPPED (1 << 0) ///< 0x0001 Relocation info stripped from file. -#define EFI_IMAGE_FILE_EXECUTABLE_IMAGE (1 << 1) ///< 0x0002 File is executable (i.e. no unresolved externel references). -#define EFI_IMAGE_FILE_LINE_NUMS_STRIPPED (1 << 2) ///< 0x0004 Line nunbers stripped from file. -#define EFI_IMAGE_FILE_LOCAL_SYMS_STRIPPED (1 << 3) ///< 0x0008 Local symbols stripped from file. -#define EFI_IMAGE_FILE_BYTES_REVERSED_LO (1 << 7) ///< 0x0080 Bytes of machine word are reversed. -#define EFI_IMAGE_FILE_32BIT_MACHINE (1 << 8) ///< 0x0100 32 bit word machine. -#define EFI_IMAGE_FILE_DEBUG_STRIPPED (1 << 9) ///< 0x0200 Debugging info stripped from file in .DBG file. -#define EFI_IMAGE_FILE_SYSTEM (1 << 12) ///< 0x1000 System File. -#define EFI_IMAGE_FILE_DLL (1 << 13) ///< 0x2000 File is a DLL. -#define EFI_IMAGE_FILE_BYTES_REVERSED_HI (1 << 15) ///< 0x8000 Bytes of machine word are reversed. - -/// -/// Header Data Directories. -/// -typedef struct { - UINT32 VirtualAddress; - UINT32 Size; -} EFI_IMAGE_DATA_DIRECTORY; - -// -// Directory Entries -// -#define EFI_IMAGE_DIRECTORY_ENTRY_EXPORT 0 -#define EFI_IMAGE_DIRECTORY_ENTRY_IMPORT 1 -#define EFI_IMAGE_DIRECTORY_ENTRY_RESOURCE 2 -#define EFI_IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 -#define EFI_IMAGE_DIRECTORY_ENTRY_SECURITY 4 -#define EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC 5 -#define EFI_IMAGE_DIRECTORY_ENTRY_DEBUG 6 -#define EFI_IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 -#define EFI_IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 -#define EFI_IMAGE_DIRECTORY_ENTRY_TLS 9 -#define EFI_IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 - -#define EFI_IMAGE_NUMBER_OF_DIRECTORY_ENTRIES 16 - -/// -/// @attention -/// EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC means PE32 and -/// EFI_IMAGE_OPTIONAL_HEADER32 must be used. The data structures only vary -/// after NT additional fields. -/// -#define EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b - -/// -/// Optional Header Standard Fields for PE32. -/// -typedef struct { - /// - /// Standard fields. - /// - UINT16 Magic; - UINT8 MajorLinkerVersion; - UINT8 MinorLinkerVersion; - UINT32 SizeOfCode; - UINT32 SizeOfInitializedData; - UINT32 SizeOfUninitializedData; - UINT32 AddressOfEntryPoint; - UINT32 BaseOfCode; - UINT32 BaseOfData; ///< PE32 contains this additional field, which is absent in PE32+. - /// - /// Optional Header Windows-Specific Fields. - /// - UINT32 ImageBase; - UINT32 SectionAlignment; - UINT32 FileAlignment; - UINT16 MajorOperatingSystemVersion; - UINT16 MinorOperatingSystemVersion; - UINT16 MajorImageVersion; - UINT16 MinorImageVersion; - UINT16 MajorSubsystemVersion; - UINT16 MinorSubsystemVersion; - UINT32 Win32VersionValue; - UINT32 SizeOfImage; - UINT32 SizeOfHeaders; - UINT32 CheckSum; - UINT16 Subsystem; - UINT16 DllCharacteristics; - UINT32 SizeOfStackReserve; - UINT32 SizeOfStackCommit; - UINT32 SizeOfHeapReserve; - UINT32 SizeOfHeapCommit; - UINT32 LoaderFlags; - UINT32 NumberOfRvaAndSizes; - EFI_IMAGE_DATA_DIRECTORY DataDirectory[EFI_IMAGE_NUMBER_OF_DIRECTORY_ENTRIES]; -} EFI_IMAGE_OPTIONAL_HEADER32; - -/// -/// @attention -/// EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC means PE32+ and -/// EFI_IMAGE_OPTIONAL_HEADER64 must be used. The data structures only vary -/// after NT additional fields. -/// -#define EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b - -/// -/// Optional Header Standard Fields for PE32+. -/// -typedef struct { - /// - /// Standard fields. - /// - UINT16 Magic; - UINT8 MajorLinkerVersion; - UINT8 MinorLinkerVersion; - UINT32 SizeOfCode; - UINT32 SizeOfInitializedData; - UINT32 SizeOfUninitializedData; - UINT32 AddressOfEntryPoint; - UINT32 BaseOfCode; - /// - /// Optional Header Windows-Specific Fields. - /// - UINT64 ImageBase; - UINT32 SectionAlignment; - UINT32 FileAlignment; - UINT16 MajorOperatingSystemVersion; - UINT16 MinorOperatingSystemVersion; - UINT16 MajorImageVersion; - UINT16 MinorImageVersion; - UINT16 MajorSubsystemVersion; - UINT16 MinorSubsystemVersion; - UINT32 Win32VersionValue; - UINT32 SizeOfImage; - UINT32 SizeOfHeaders; - UINT32 CheckSum; - UINT16 Subsystem; - UINT16 DllCharacteristics; - UINT64 SizeOfStackReserve; - UINT64 SizeOfStackCommit; - UINT64 SizeOfHeapReserve; - UINT64 SizeOfHeapCommit; - UINT32 LoaderFlags; - UINT32 NumberOfRvaAndSizes; - EFI_IMAGE_DATA_DIRECTORY DataDirectory[EFI_IMAGE_NUMBER_OF_DIRECTORY_ENTRIES]; -} EFI_IMAGE_OPTIONAL_HEADER64; - - -/// -/// @attention -/// EFI_IMAGE_NT_HEADERS32 is for use ONLY by tools. -/// -typedef struct { - UINT32 Signature; - EFI_IMAGE_FILE_HEADER FileHeader; - EFI_IMAGE_OPTIONAL_HEADER32 OptionalHeader; -} EFI_IMAGE_NT_HEADERS32; - -#define EFI_IMAGE_SIZEOF_NT_OPTIONAL32_HEADER sizeof (EFI_IMAGE_NT_HEADERS32) - -/// -/// @attention -/// EFI_IMAGE_HEADERS64 is for use ONLY by tools. -/// -typedef struct { - UINT32 Signature; - EFI_IMAGE_FILE_HEADER FileHeader; - EFI_IMAGE_OPTIONAL_HEADER64 OptionalHeader; -} EFI_IMAGE_NT_HEADERS64; - -#define EFI_IMAGE_SIZEOF_NT_OPTIONAL64_HEADER sizeof (EFI_IMAGE_NT_HEADERS64) - -// -// Other Windows Subsystem Values -// -#define EFI_IMAGE_SUBSYSTEM_UNKNOWN 0 -#define EFI_IMAGE_SUBSYSTEM_NATIVE 1 -#define EFI_IMAGE_SUBSYSTEM_WINDOWS_GUI 2 -#define EFI_IMAGE_SUBSYSTEM_WINDOWS_CUI 3 -#define EFI_IMAGE_SUBSYSTEM_OS2_CUI 5 -#define EFI_IMAGE_SUBSYSTEM_POSIX_CUI 7 - -/// -/// Length of ShortName. -/// -#define EFI_IMAGE_SIZEOF_SHORT_NAME 8 - -/// -/// Section Table. This table immediately follows the optional header. -/// -typedef struct { - UINT8 Name[EFI_IMAGE_SIZEOF_SHORT_NAME]; - union { - UINT32 PhysicalAddress; - UINT32 VirtualSize; - } Misc; - UINT32 VirtualAddress; - UINT32 SizeOfRawData; - UINT32 PointerToRawData; - UINT32 PointerToRelocations; - UINT32 PointerToLinenumbers; - UINT16 NumberOfRelocations; - UINT16 NumberOfLinenumbers; - UINT32 Characteristics; -} EFI_IMAGE_SECTION_HEADER; - -/// -/// Size of EFI_IMAGE_SECTION_HEADER. -/// -#define EFI_IMAGE_SIZEOF_SECTION_HEADER 40 - -// -// Section Flags Values -// -#define EFI_IMAGE_SCN_TYPE_NO_PAD BIT3 ///< 0x00000008 ///< Reserved. -#define EFI_IMAGE_SCN_CNT_CODE BIT5 ///< 0x00000020 -#define EFI_IMAGE_SCN_CNT_INITIALIZED_DATA BIT6 ///< 0x00000040 -#define EFI_IMAGE_SCN_CNT_UNINITIALIZED_DATA BIT7 ///< 0x00000080 - -#define EFI_IMAGE_SCN_LNK_OTHER BIT8 ///< 0x00000100 ///< Reserved. -#define EFI_IMAGE_SCN_LNK_INFO BIT9 ///< 0x00000200 ///< Section contains comments or some other type of information. -#define EFI_IMAGE_SCN_LNK_REMOVE BIT11 ///< 0x00000800 ///< Section contents will not become part of image. -#define EFI_IMAGE_SCN_LNK_COMDAT BIT12 ///< 0x00001000 - -#define EFI_IMAGE_SCN_ALIGN_1BYTES BIT20 ///< 0x00100000 -#define EFI_IMAGE_SCN_ALIGN_2BYTES BIT21 ///< 0x00200000 -#define EFI_IMAGE_SCN_ALIGN_4BYTES (BIT20|BIT21) ///< 0x00300000 -#define EFI_IMAGE_SCN_ALIGN_8BYTES BIT22 ///< 0x00400000 -#define EFI_IMAGE_SCN_ALIGN_16BYTES (BIT20|BIT22) ///< 0x00500000 -#define EFI_IMAGE_SCN_ALIGN_32BYTES (BIT21|BIT22) ///< 0x00600000 -#define EFI_IMAGE_SCN_ALIGN_64BYTES (BIT20|BIT21|BIT22) ///< 0x00700000 - -#define EFI_IMAGE_SCN_MEM_DISCARDABLE BIT25 ///< 0x02000000 -#define EFI_IMAGE_SCN_MEM_NOT_CACHED BIT26 ///< 0x04000000 -#define EFI_IMAGE_SCN_MEM_NOT_PAGED BIT27 ///< 0x08000000 -#define EFI_IMAGE_SCN_MEM_SHARED BIT28 ///< 0x10000000 -#define EFI_IMAGE_SCN_MEM_EXECUTE BIT29 ///< 0x20000000 -#define EFI_IMAGE_SCN_MEM_READ BIT30 ///< 0x40000000 -#define EFI_IMAGE_SCN_MEM_WRITE BIT31 ///< 0x80000000 - -/// -/// Size of a Symbol Table Record. -/// -#define EFI_IMAGE_SIZEOF_SYMBOL 18 - -// -// Symbols have a section number of the section in which they are -// defined. Otherwise, section numbers have the following meanings: -// -#define EFI_IMAGE_SYM_UNDEFINED (UINT16) 0 ///< Symbol is undefined or is common. -#define EFI_IMAGE_SYM_ABSOLUTE (UINT16) -1 ///< Symbol is an absolute value. -#define EFI_IMAGE_SYM_DEBUG (UINT16) -2 ///< Symbol is a special debug item. - -// -// Symbol Type (fundamental) values. -// -#define EFI_IMAGE_SYM_TYPE_NULL 0 ///< no type. -#define EFI_IMAGE_SYM_TYPE_VOID 1 ///< no valid type. -#define EFI_IMAGE_SYM_TYPE_CHAR 2 ///< type character. -#define EFI_IMAGE_SYM_TYPE_SHORT 3 ///< type short integer. -#define EFI_IMAGE_SYM_TYPE_INT 4 -#define EFI_IMAGE_SYM_TYPE_LONG 5 -#define EFI_IMAGE_SYM_TYPE_FLOAT 6 -#define EFI_IMAGE_SYM_TYPE_DOUBLE 7 -#define EFI_IMAGE_SYM_TYPE_STRUCT 8 -#define EFI_IMAGE_SYM_TYPE_UNION 9 -#define EFI_IMAGE_SYM_TYPE_ENUM 10 ///< enumeration. -#define EFI_IMAGE_SYM_TYPE_MOE 11 ///< member of enumeration. -#define EFI_IMAGE_SYM_TYPE_BYTE 12 -#define EFI_IMAGE_SYM_TYPE_WORD 13 -#define EFI_IMAGE_SYM_TYPE_UINT 14 -#define EFI_IMAGE_SYM_TYPE_DWORD 15 - -// -// Symbol Type (derived) values. -// -#define EFI_IMAGE_SYM_DTYPE_NULL 0 ///< no derived type. -#define EFI_IMAGE_SYM_DTYPE_POINTER 1 -#define EFI_IMAGE_SYM_DTYPE_FUNCTION 2 -#define EFI_IMAGE_SYM_DTYPE_ARRAY 3 - -// -// Storage classes. -// -#define EFI_IMAGE_SYM_CLASS_END_OF_FUNCTION ((UINT8) -1) -#define EFI_IMAGE_SYM_CLASS_NULL 0 -#define EFI_IMAGE_SYM_CLASS_AUTOMATIC 1 -#define EFI_IMAGE_SYM_CLASS_EXTERNAL 2 -#define EFI_IMAGE_SYM_CLASS_STATIC 3 -#define EFI_IMAGE_SYM_CLASS_REGISTER 4 -#define EFI_IMAGE_SYM_CLASS_EXTERNAL_DEF 5 -#define EFI_IMAGE_SYM_CLASS_LABEL 6 -#define EFI_IMAGE_SYM_CLASS_UNDEFINED_LABEL 7 -#define EFI_IMAGE_SYM_CLASS_MEMBER_OF_STRUCT 8 -#define EFI_IMAGE_SYM_CLASS_ARGUMENT 9 -#define EFI_IMAGE_SYM_CLASS_STRUCT_TAG 10 -#define EFI_IMAGE_SYM_CLASS_MEMBER_OF_UNION 11 -#define EFI_IMAGE_SYM_CLASS_UNION_TAG 12 -#define EFI_IMAGE_SYM_CLASS_TYPE_DEFINITION 13 -#define EFI_IMAGE_SYM_CLASS_UNDEFINED_STATIC 14 -#define EFI_IMAGE_SYM_CLASS_ENUM_TAG 15 -#define EFI_IMAGE_SYM_CLASS_MEMBER_OF_ENUM 16 -#define EFI_IMAGE_SYM_CLASS_REGISTER_PARAM 17 -#define EFI_IMAGE_SYM_CLASS_BIT_FIELD 18 -#define EFI_IMAGE_SYM_CLASS_BLOCK 100 -#define EFI_IMAGE_SYM_CLASS_FUNCTION 101 -#define EFI_IMAGE_SYM_CLASS_END_OF_STRUCT 102 -#define EFI_IMAGE_SYM_CLASS_FILE 103 -#define EFI_IMAGE_SYM_CLASS_SECTION 104 -#define EFI_IMAGE_SYM_CLASS_WEAK_EXTERNAL 105 - -// -// type packing constants -// -#define EFI_IMAGE_N_BTMASK 017 -#define EFI_IMAGE_N_TMASK 060 -#define EFI_IMAGE_N_TMASK1 0300 -#define EFI_IMAGE_N_TMASK2 0360 -#define EFI_IMAGE_N_BTSHFT 4 -#define EFI_IMAGE_N_TSHIFT 2 - -// -// Communal selection types. -// -#define EFI_IMAGE_COMDAT_SELECT_NODUPLICATES 1 -#define EFI_IMAGE_COMDAT_SELECT_ANY 2 -#define EFI_IMAGE_COMDAT_SELECT_SAME_SIZE 3 -#define EFI_IMAGE_COMDAT_SELECT_EXACT_MATCH 4 -#define EFI_IMAGE_COMDAT_SELECT_ASSOCIATIVE 5 - -// -// the following values only be referred in PeCoff, not defined in PECOFF. -// -#define EFI_IMAGE_WEAK_EXTERN_SEARCH_NOLIBRARY 1 -#define EFI_IMAGE_WEAK_EXTERN_SEARCH_LIBRARY 2 -#define EFI_IMAGE_WEAK_EXTERN_SEARCH_ALIAS 3 - -/// -/// Relocation format. -/// -typedef struct { - UINT32 VirtualAddress; - UINT32 SymbolTableIndex; - UINT16 Type; -} EFI_IMAGE_RELOCATION; - -/// -/// Size of EFI_IMAGE_RELOCATION -/// -#define EFI_IMAGE_SIZEOF_RELOCATION 10 - -// -// I386 relocation types. -// -#define EFI_IMAGE_REL_I386_ABSOLUTE 0x0000 ///< Reference is absolute, no relocation is necessary. -#define EFI_IMAGE_REL_I386_DIR16 0x0001 ///< Direct 16-bit reference to the symbols virtual address. -#define EFI_IMAGE_REL_I386_REL16 0x0002 ///< PC-relative 16-bit reference to the symbols virtual address. -#define EFI_IMAGE_REL_I386_DIR32 0x0006 ///< Direct 32-bit reference to the symbols virtual address. -#define EFI_IMAGE_REL_I386_DIR32NB 0x0007 ///< Direct 32-bit reference to the symbols virtual address, base not included. -#define EFI_IMAGE_REL_I386_SEG12 0x0009 ///< Direct 16-bit reference to the segment-selector bits of a 32-bit virtual address. -#define EFI_IMAGE_REL_I386_SECTION 0x000A -#define EFI_IMAGE_REL_I386_SECREL 0x000B -#define EFI_IMAGE_REL_I386_REL32 0x0014 ///< PC-relative 32-bit reference to the symbols virtual address. - -// -// x64 processor relocation types. -// -#define IMAGE_REL_AMD64_ABSOLUTE 0x0000 -#define IMAGE_REL_AMD64_ADDR64 0x0001 -#define IMAGE_REL_AMD64_ADDR32 0x0002 -#define IMAGE_REL_AMD64_ADDR32NB 0x0003 -#define IMAGE_REL_AMD64_REL32 0x0004 -#define IMAGE_REL_AMD64_REL32_1 0x0005 -#define IMAGE_REL_AMD64_REL32_2 0x0006 -#define IMAGE_REL_AMD64_REL32_3 0x0007 -#define IMAGE_REL_AMD64_REL32_4 0x0008 -#define IMAGE_REL_AMD64_REL32_5 0x0009 -#define IMAGE_REL_AMD64_SECTION 0x000A -#define IMAGE_REL_AMD64_SECREL 0x000B -#define IMAGE_REL_AMD64_SECREL7 0x000C -#define IMAGE_REL_AMD64_TOKEN 0x000D -#define IMAGE_REL_AMD64_SREL32 0x000E -#define IMAGE_REL_AMD64_PAIR 0x000F -#define IMAGE_REL_AMD64_SSPAN32 0x0010 - -/// -/// Based relocation format. -/// -typedef struct { - UINT32 VirtualAddress; - UINT32 SizeOfBlock; -} EFI_IMAGE_BASE_RELOCATION; - -/// -/// Size of EFI_IMAGE_BASE_RELOCATION. -/// -#define EFI_IMAGE_SIZEOF_BASE_RELOCATION 8 - -// -// Based relocation types. -// -#define EFI_IMAGE_REL_BASED_ABSOLUTE 0 -#define EFI_IMAGE_REL_BASED_HIGH 1 -#define EFI_IMAGE_REL_BASED_LOW 2 -#define EFI_IMAGE_REL_BASED_HIGHLOW 3 -#define EFI_IMAGE_REL_BASED_HIGHADJ 4 -#define EFI_IMAGE_REL_BASED_MIPS_JMPADDR 5 -#define EFI_IMAGE_REL_BASED_ARM_MOV32A 5 -#define EFI_IMAGE_REL_BASED_ARM_MOV32T 7 -#define EFI_IMAGE_REL_BASED_IA64_IMM64 9 -#define EFI_IMAGE_REL_BASED_MIPS_JMPADDR16 9 -#define EFI_IMAGE_REL_BASED_DIR64 10 - -/// -/// Line number format. -/// -typedef struct { - union { - UINT32 SymbolTableIndex; ///< Symbol table index of function name if Linenumber is 0. - UINT32 VirtualAddress; ///< Virtual address of line number. - } Type; - UINT16 Linenumber; ///< Line number. -} EFI_IMAGE_LINENUMBER; - -/// -/// Size of EFI_IMAGE_LINENUMBER. -/// -#define EFI_IMAGE_SIZEOF_LINENUMBER 6 - -// -// Archive format. -// -#define EFI_IMAGE_ARCHIVE_START_SIZE 8 -#define EFI_IMAGE_ARCHIVE_START "!\n" -#define EFI_IMAGE_ARCHIVE_END "`\n" -#define EFI_IMAGE_ARCHIVE_PAD "\n" -#define EFI_IMAGE_ARCHIVE_LINKER_MEMBER "/ " -#define EFI_IMAGE_ARCHIVE_LONGNAMES_MEMBER "// " - -/// -/// Archive Member Headers -/// -typedef struct { - UINT8 Name[16]; ///< File member name - `/' terminated. - UINT8 Date[12]; ///< File member date - decimal. - UINT8 UserID[6]; ///< File member user id - decimal. - UINT8 GroupID[6]; ///< File member group id - decimal. - UINT8 Mode[8]; ///< File member mode - octal. - UINT8 Size[10]; ///< File member size - decimal. - UINT8 EndHeader[2]; ///< String to end header. (0x60 0x0A). -} EFI_IMAGE_ARCHIVE_MEMBER_HEADER; - -/// -/// Size of EFI_IMAGE_ARCHIVE_MEMBER_HEADER. -/// -#define EFI_IMAGE_SIZEOF_ARCHIVE_MEMBER_HDR 60 - - -// -// DLL Support -// - -/// -/// Export Directory Table. -/// -typedef struct { - UINT32 Characteristics; - UINT32 TimeDateStamp; - UINT16 MajorVersion; - UINT16 MinorVersion; - UINT32 Name; - UINT32 Base; - UINT32 NumberOfFunctions; - UINT32 NumberOfNames; - UINT32 AddressOfFunctions; - UINT32 AddressOfNames; - UINT32 AddressOfNameOrdinals; -} EFI_IMAGE_EXPORT_DIRECTORY; - -/// -/// Hint/Name Table. -/// -typedef struct { - UINT16 Hint; - UINT8 Name[1]; -} EFI_IMAGE_IMPORT_BY_NAME; - -/// -/// Import Address Table RVA (Thunk Table). -/// -typedef struct { - union { - UINT32 Function; - UINT32 Ordinal; - EFI_IMAGE_IMPORT_BY_NAME *AddressOfData; - } u1; -} EFI_IMAGE_THUNK_DATA; - -#define EFI_IMAGE_ORDINAL_FLAG BIT31 ///< Flag for PE32. -#define EFI_IMAGE_SNAP_BY_ORDINAL(Ordinal) ((Ordinal & EFI_IMAGE_ORDINAL_FLAG) != 0) -#define EFI_IMAGE_ORDINAL(Ordinal) (Ordinal & 0xffff) - -/// -/// Import Directory Table -/// -typedef struct { - UINT32 Characteristics; - UINT32 TimeDateStamp; - UINT32 ForwarderChain; - UINT32 Name; - EFI_IMAGE_THUNK_DATA *FirstThunk; -} EFI_IMAGE_IMPORT_DESCRIPTOR; - - -/// -/// Debug Directory Format. -/// -typedef struct { - UINT32 Characteristics; - UINT32 TimeDateStamp; - UINT16 MajorVersion; - UINT16 MinorVersion; - UINT32 Type; - UINT32 SizeOfData; - UINT32 RVA; ///< The address of the debug data when loaded, relative to the image base. - UINT32 FileOffset; ///< The file pointer to the debug data. -} EFI_IMAGE_DEBUG_DIRECTORY_ENTRY; - -#define EFI_IMAGE_DEBUG_TYPE_CODEVIEW 2 ///< The Visual C++ debug information. - -/// -/// Debug Data Structure defined in Microsoft C++. -/// -#define CODEVIEW_SIGNATURE_NB10 SIGNATURE_32('N', 'B', '1', '0') -typedef struct { - UINT32 Signature; ///< "NB10" - UINT32 Unknown; - UINT32 Unknown2; - UINT32 Unknown3; - // - // Filename of .PDB goes here - // -} EFI_IMAGE_DEBUG_CODEVIEW_NB10_ENTRY; - -/// -/// Debug Data Structure defined in Microsoft C++. -/// -#define CODEVIEW_SIGNATURE_RSDS SIGNATURE_32('R', 'S', 'D', 'S') -typedef struct { - UINT32 Signature; ///< "RSDS". - UINT32 Unknown; - UINT32 Unknown2; - UINT32 Unknown3; - UINT32 Unknown4; - UINT32 Unknown5; - // - // Filename of .PDB goes here - // -} EFI_IMAGE_DEBUG_CODEVIEW_RSDS_ENTRY; - - -/// -/// Debug Data Structure defined by Apple Mach-O to Coff utility. -/// -#define CODEVIEW_SIGNATURE_MTOC SIGNATURE_32('M', 'T', 'O', 'C') -typedef struct { - UINT32 Signature; ///< "MTOC". - EFI_GUID MachOUuid; - // - // Filename of .DLL (Mach-O with debug info) goes here - // -} EFI_IMAGE_DEBUG_CODEVIEW_MTOC_ENTRY; - -/// -/// Resource format. -/// -typedef struct { - UINT32 Characteristics; - UINT32 TimeDateStamp; - UINT16 MajorVersion; - UINT16 MinorVersion; - UINT16 NumberOfNamedEntries; - UINT16 NumberOfIdEntries; - // - // Array of EFI_IMAGE_RESOURCE_DIRECTORY_ENTRY entries goes here. - // -} EFI_IMAGE_RESOURCE_DIRECTORY; - -/// -/// Resource directory entry format. -/// -typedef struct { - union { - struct { - UINT32 NameOffset:31; - UINT32 NameIsString:1; - } s; - UINT32 Id; - } u1; - union { - UINT32 OffsetToData; - struct { - UINT32 OffsetToDirectory:31; - UINT32 DataIsDirectory:1; - } s; - } u2; -} EFI_IMAGE_RESOURCE_DIRECTORY_ENTRY; - -/// -/// Resource directory entry for string. -/// -typedef struct { - UINT16 Length; - CHAR16 String[1]; -} EFI_IMAGE_RESOURCE_DIRECTORY_STRING; - -/// -/// Resource directory entry for data array. -/// -typedef struct { - UINT32 OffsetToData; - UINT32 Size; - UINT32 CodePage; - UINT32 Reserved; -} EFI_IMAGE_RESOURCE_DATA_ENTRY; - -/// -/// Header format for TE images, defined in the PI Specification, 1.0. -/// -typedef struct { - UINT16 Signature; ///< The signature for TE format = "VZ". - UINT16 Machine; ///< From the original file header. - UINT8 NumberOfSections; ///< From the original file header. - UINT8 Subsystem; ///< From original optional header. - UINT16 StrippedSize; ///< Number of bytes we removed from the header. - UINT32 AddressOfEntryPoint; ///< Offset to entry point -- from original optional header. - UINT32 BaseOfCode; ///< From original image -- required for ITP debug. - UINT64 ImageBase; ///< From original file header. - EFI_IMAGE_DATA_DIRECTORY DataDirectory[2]; ///< Only base relocation and debug directory. -} EFI_TE_IMAGE_HEADER; - - -#define EFI_TE_IMAGE_HEADER_SIGNATURE SIGNATURE_16('V', 'Z') - -// -// Data directory indexes in our TE image header -// -#define EFI_TE_IMAGE_DIRECTORY_ENTRY_BASERELOC 0 -#define EFI_TE_IMAGE_DIRECTORY_ENTRY_DEBUG 1 - - -/// -/// Union of PE32, PE32+, and TE headers. -/// -typedef union { - EFI_IMAGE_NT_HEADERS32 Pe32; - EFI_IMAGE_NT_HEADERS64 Pe32Plus; - EFI_TE_IMAGE_HEADER Te; -} EFI_IMAGE_OPTIONAL_HEADER_UNION; - -typedef union { - EFI_IMAGE_NT_HEADERS32 *Pe32; - EFI_IMAGE_NT_HEADERS64 *Pe32Plus; - EFI_TE_IMAGE_HEADER *Te; - EFI_IMAGE_OPTIONAL_HEADER_UNION *Union; -} EFI_IMAGE_OPTIONAL_HEADER_PTR_UNION; - -typedef struct _WIN_CERTIFICATE { - UINT32 dwLength; - UINT16 wRevision; - UINT16 wCertificateType; - //UINT8 bCertificate[ANYSIZE_ARRAY]; -} WIN_CERTIFICATE; - -typedef struct { - WIN_CERTIFICATE Hdr; - UINT8 CertData[1]; -} WIN_CERTIFICATE_EFI_PKCS; - -#define SHA256_DIGEST_SIZE 32 -#define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002 - -typedef struct { - UINT64 ImageAddress; - UINT64 ImageSize; - UINT64 EntryPoint; - UINTN SizeOfHeaders; - UINT16 ImageType; - UINT16 NumberOfSections; - EFI_IMAGE_SECTION_HEADER *FirstSection; - EFI_IMAGE_DATA_DIRECTORY *RelocDir; - EFI_IMAGE_DATA_DIRECTORY *SecDir; - UINT64 NumberOfRvaAndSizes; - EFI_IMAGE_OPTIONAL_HEADER_UNION *PEHdr; -} PE_COFF_LOADER_IMAGE_CONTEXT; - -#endif From 53862ddace32172c364b620afbd93603ac734b54 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 26 Sep 2013 11:58:02 -0400 Subject: [PATCH 049/163] Merge signature.h into efiauthenticated.h and guid.h Conflicts: shim.c --- Makefile | 4 ++-- MokManager.c | 19 ++++++++++--------- include/guid.h | 1 + lib/guid.c | 1 + shim.c | 20 +++++++++++--------- signature.h | 43 ------------------------------------------- 6 files changed, 25 insertions(+), 63 deletions(-) delete mode 100644 signature.h diff --git a/Makefile b/Makefile index 83b3df9..031e27f 100644 --- a/Makefile +++ b/Makefile @@ -38,7 +38,7 @@ VERSION = 0.4 TARGET = shim.efi MokManager.efi.signed fallback.efi.signed OBJS = shim.o netboot.o cert.o dbx.o KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key -SOURCES = shim.c shim.h netboot.c signature.h include/PeImage.h include/wincert.h +SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o MOK_SOURCES = MokManager.c shim.h console_control.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h FALLBACK_OBJS = fallback.o @@ -71,7 +71,7 @@ cert.o : cert.S dbx.o : dbx.S $(CC) $(CFLAGS) -c -o $@ $< -shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a +shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) fallback.o: $(FALLBACK_SRCS) diff --git a/MokManager.c b/MokManager.c index f6bc6c2..b01c65e 100644 --- a/MokManager.c +++ b/MokManager.c @@ -4,12 +4,13 @@ #include #include "console_control.h" #include "shim.h" -#include "signature.h" #include "PeImage.h" #include "PasswordCrypt.h" -#include "include/console.h" -#include "include/simple_file.h" +#include "guid.h" +#include "console.h" +#include "simple_file.h" +#include "efiauthenticated.h" #define PASSWORD_MAX 256 #define PASSWORD_MIN 1 @@ -115,8 +116,8 @@ done: static UINT32 count_keys(void *Data, UINTN DataSize) { EFI_SIGNATURE_LIST *CertList = Data; - EFI_GUID CertType = EfiCertX509Guid; - EFI_GUID HashType = EfiHashSha256Guid; + EFI_GUID CertType = X509_GUID; + EFI_GUID HashType = EFI_CERT_SHA256_GUID; UINTN dbsize = DataSize; UINT32 MokNum = 0; @@ -152,8 +153,8 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) { MokListNode *list; EFI_SIGNATURE_LIST *CertList = Data; EFI_SIGNATURE_DATA *Cert; - EFI_GUID CertType = EfiCertX509Guid; - EFI_GUID HashType = EfiHashSha256Guid; + EFI_GUID CertType = X509_GUID; + EFI_GUID HashType = EFI_CERT_SHA256_GUID; UINTN dbsize = DataSize; UINTN count = 0; @@ -1271,7 +1272,7 @@ static EFI_STATUS enroll_file (void *data, UINTN datasize, BOOLEAN hash) goto out; CertList = mokbuffer; - CertList->SignatureType = EfiHashSha256Guid; + CertList->SignatureType = EFI_CERT_SHA256_GUID; CertList->SignatureSize = 16 + SHA256_DIGEST_SIZE; CertData = (EFI_SIGNATURE_DATA *)(((UINT8 *)mokbuffer) + sizeof(EFI_SIGNATURE_LIST)); @@ -1285,7 +1286,7 @@ static EFI_STATUS enroll_file (void *data, UINTN datasize, BOOLEAN hash) goto out; CertList = mokbuffer; - CertList->SignatureType = EfiCertX509Guid; + CertList->SignatureType = X509_GUID; CertList->SignatureSize = 16 + datasize; memcpy(mokbuffer + sizeof(EFI_SIGNATURE_LIST) + 16, data, diff --git a/include/guid.h b/include/guid.h index 10f865a..3c58be0 100644 --- a/include/guid.h +++ b/include/guid.h @@ -12,6 +12,7 @@ extern EFI_GUID RSA2048_GUID; extern EFI_GUID PKCS7_GUID; extern EFI_GUID IMAGE_PROTOCOL; extern EFI_GUID SIMPLE_FS_PROTOCOL; +extern EFI_GUID EFI_CERT_SHA1_GUID; extern EFI_GUID EFI_CERT_SHA256_GUID; extern EFI_GUID MOK_OWNER; extern EFI_GUID SECURITY_PROTOCOL_GUID; diff --git a/lib/guid.c b/lib/guid.c index 25db91a..56ec952 100644 --- a/lib/guid.c +++ b/lib/guid.c @@ -41,6 +41,7 @@ EFI_GUID RSA2048_GUID = { 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0 EFI_GUID PKCS7_GUID = { 0x4aafd29d, 0x68df, 0x49ee, {0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7} }; EFI_GUID IMAGE_PROTOCOL = LOADED_IMAGE_PROTOCOL; EFI_GUID SIMPLE_FS_PROTOCOL = SIMPLE_FILE_SYSTEM_PROTOCOL; +EFI_GUID EFI_CERT_SHA1_GUID = { 0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd }}; EFI_GUID EFI_CERT_SHA256_GUID = { 0xc1c41626, 0x504c, 0x4092, { 0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 } }; EFI_GUID MOK_OWNER = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }; EFI_GUID SECURITY_PROTOCOL_GUID = { 0xA46423E3, 0x4617, 0x49f1, {0xB9, 0xFF, 0xD1, 0xBF, 0xA9, 0x11, 0x58, 0x39 } }; diff --git a/shim.c b/shim.c index e9e6771..9ffc94a 100644 --- a/shim.c +++ b/shim.c @@ -38,11 +38,13 @@ #include #include "PeImage.h" #include "shim.h" -#include "signature.h" #include "netboot.h" #include "shim_cert.h" #include "ucs2.h" +#include "guid.h" +#include "efiauthenticated.h" + #define FALLBACK L"\\fallback.efi" #define MOK_MANAGER L"\\MokManager.efi" @@ -228,7 +230,7 @@ static CHECK_STATUS check_db_cert_in_ram(EFI_SIGNATURE_LIST *CertList, EFI_SIGNATURE_DATA *Cert; UINTN CertCount, Index; BOOLEAN IsFound = FALSE; - EFI_GUID CertType = EfiCertX509Guid; + EFI_GUID CertType = X509_GUID; while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) { if (CompareGuid (&CertList->SignatureType, &CertType) == 0) { @@ -364,11 +366,11 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert, EFI_SIGNATURE_LIST *dbx = (EFI_SIGNATURE_LIST *)vendor_dbx; if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha256hash, - SHA256_DIGEST_SIZE, EfiHashSha256Guid) == + SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID) == DATA_FOUND) return EFI_ACCESS_DENIED; if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha1hash, - SHA1_DIGEST_SIZE, EfiHashSha1Guid) == + SHA1_DIGEST_SIZE, EFI_CERT_SHA1_GUID) == DATA_FOUND) return EFI_ACCESS_DENIED; if (check_db_cert_in_ram(dbx, vendor_dbx_size, cert, @@ -376,10 +378,10 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert, return EFI_ACCESS_DENIED; if (check_db_hash(L"dbx", secure_var, sha256hash, SHA256_DIGEST_SIZE, - EfiHashSha256Guid) == DATA_FOUND) + EFI_CERT_SHA256_GUID) == DATA_FOUND) return EFI_ACCESS_DENIED; if (check_db_hash(L"dbx", secure_var, sha1hash, SHA1_DIGEST_SIZE, - EfiHashSha1Guid) == DATA_FOUND) + EFI_CERT_SHA1_GUID) == DATA_FOUND) return EFI_ACCESS_DENIED; if (check_db_cert(L"dbx", secure_var, cert, sha256hash) == DATA_FOUND) return EFI_ACCESS_DENIED; @@ -397,13 +399,13 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert, EFI_GUID shim_var = SHIM_LOCK_GUID; if (check_db_hash(L"db", secure_var, sha256hash, SHA256_DIGEST_SIZE, - EfiHashSha256Guid) == DATA_FOUND) + EFI_CERT_SHA256_GUID) == DATA_FOUND) return EFI_SUCCESS; if (check_db_hash(L"db", secure_var, sha1hash, SHA1_DIGEST_SIZE, - EfiHashSha1Guid) == DATA_FOUND) + EFI_CERT_SHA1_GUID) == DATA_FOUND) return EFI_SUCCESS; if (check_db_hash(L"MokList", shim_var, sha256hash, SHA256_DIGEST_SIZE, - EfiHashSha256Guid) == DATA_FOUND) + EFI_CERT_SHA256_GUID) == DATA_FOUND) return EFI_SUCCESS; if (check_db_cert(L"db", secure_var, cert, sha256hash) == DATA_FOUND) return EFI_SUCCESS; diff --git a/signature.h b/signature.h deleted file mode 100644 index 722dbe6..0000000 --- a/signature.h +++ /dev/null @@ -1,43 +0,0 @@ -#define SHA256_DIGEST_SIZE 32 - -EFI_GUID EfiHashSha1Guid = { 0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd }}; -EFI_GUID EfiHashSha256Guid = { 0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 }}; -EFI_GUID EfiCertX509Guid = { 0xa5c059a1, 0x94e4, 0x4aa7, {0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 }}; - -typedef struct { - /// - /// An identifier which identifies the agent which added the signature to the list. - /// - EFI_GUID SignatureOwner; - /// - /// The format of the signature is defined by the SignatureType. - /// - UINT8 SignatureData[1]; -} __attribute__ ((packed)) EFI_SIGNATURE_DATA; - -typedef struct { - /// - /// Type of the signature. GUID signature types are defined in below. - /// - EFI_GUID SignatureType; - /// - /// Total size of the signature list, including this header. - /// - UINT32 SignatureListSize; - /// - /// Size of the signature header which precedes the array of signatures. - /// - UINT32 SignatureHeaderSize; - /// - /// Size of each signature. - /// - UINT32 SignatureSize; - /// - /// Header before the array of signatures. The format of this header is specified - /// by the SignatureType. - /// UINT8 SignatureHeader[SignatureHeaderSize]; - /// - /// An array of signatures. Each signature is SignatureSize bytes in length. - /// EFI_SIGNATURE_DATA Signatures[][SignatureSize]; - /// -} __attribute__ ((packed)) EFI_SIGNATURE_LIST; From 7f0208a0f93ac83635e1d5971387e5fbfdaaf734 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 26 Sep 2013 11:58:02 -0400 Subject: [PATCH 050/163] Merge variable retrieving functions --- MokManager.c | 34 +++----------------- include/variables.h | 2 +- lib/Makefile | 2 +- lib/variables.c | 1 - shim.c | 78 +++++++++++++++------------------------------ 5 files changed, 31 insertions(+), 86 deletions(-) diff --git a/MokManager.c b/MokManager.c index b01c65e..805017b 100644 --- a/MokManager.c +++ b/MokManager.c @@ -9,6 +9,7 @@ #include "guid.h" #include "console.h" +#include "variables.h" #include "simple_file.h" #include "efiauthenticated.h" @@ -50,32 +51,6 @@ typedef struct { CHAR16 Password[SB_PASSWORD_LEN]; } __attribute__ ((packed)) MokSBvar; -static EFI_STATUS get_variable (CHAR16 *name, EFI_GUID guid, UINT32 *attributes, - UINTN *size, void **buffer) -{ - EFI_STATUS efi_status; - char allocate = !(*size); - - efi_status = uefi_call_wrapper(RT->GetVariable, 5, name, &guid, - attributes, size, buffer); - - if (efi_status != EFI_BUFFER_TOO_SMALL || !allocate) { - return efi_status; - } - - *buffer = AllocatePool(*size); - - if (!*buffer) { - console_notify(L"Unable to allocate variable buffer"); - return EFI_OUT_OF_RESOURCES; - } - - efi_status = uefi_call_wrapper(RT->GetVariable, 5, name, &guid, - attributes, size, *buffer); - - return efi_status; -} - static EFI_STATUS get_sha1sum (void *Data, int DataSize, UINT8 *hash) { EFI_STATUS status; @@ -904,7 +879,7 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize) UINT8 auth[PASSWORD_CRYPT_SIZE]; UINTN auth_size = PASSWORD_CRYPT_SIZE; UINT32 attributes; - void *MokListData = NULL; + UINT8 *MokListData = NULL; UINTN MokListDataSize = 0; MokListNode *mok, *del_key; INTN mok_num, del_num; @@ -929,9 +904,8 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize) if (efi_status != EFI_SUCCESS) return EFI_ACCESS_DENIED; - efi_status = get_variable(L"MokList", shim_lock_guid, &attributes, - &MokListDataSize, &MokListData); - + efi_status = get_variable_attr (L"MokList", &MokListData, &MokListDataSize, + shim_lock_guid, &attributes); if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) { console_alertbox((CHAR16 *[]){L"MokList is compromised!", L"Erase all keys in MokList!", diff --git a/include/variables.h b/include/variables.h index c171bd5..b207dbf 100644 --- a/include/variables.h +++ b/include/variables.h @@ -1,6 +1,6 @@ #include -#include /* for SHA256_DIGEST_SIZE */ +#include /* for SHA256_DIGEST_SIZE */ #define certlist_for_each_certentry(cl, cl_init, s, s_init) \ for (cl = (EFI_SIGNATURE_LIST *)(cl_init), s = (s_init); \ diff --git a/lib/Makefile b/lib/Makefile index 4390700..e85c1fd 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -1,6 +1,6 @@ TARGET = lib.a -LIBFILES = simple_file.o guid.o console.o execute.o configtable.o shell.o +LIBFILES = simple_file.o guid.o console.o execute.o configtable.o shell.o variables.o ARCH = $(shell uname -m | sed s,i[3456789]86,ia32,) diff --git a/lib/variables.c b/lib/variables.c index 9db6480..81bd34d 100644 --- a/lib/variables.c +++ b/lib/variables.c @@ -27,7 +27,6 @@ #include #include #include -#include #include EFI_STATUS diff --git a/shim.c b/shim.c index 9ffc94a..c2d54c4 100644 --- a/shim.c +++ b/shim.c @@ -43,6 +43,7 @@ #include "ucs2.h" #include "guid.h" +#include "variables.h" #include "efiauthenticated.h" #define FALLBACK L"\\fallback.efi" @@ -81,32 +82,6 @@ typedef struct { UINT8 *Mok; } MokListNode; -static EFI_STATUS get_variable (CHAR16 *name, EFI_GUID guid, UINT32 *attributes, - UINTN *size, void **buffer) -{ - EFI_STATUS efi_status; - char allocate = !(*size); - - efi_status = uefi_call_wrapper(RT->GetVariable, 5, name, &guid, - attributes, size, buffer); - - if (efi_status != EFI_BUFFER_TOO_SMALL || !allocate) { - return efi_status; - } - - *buffer = AllocatePool(*size); - - if (!*buffer) { - Print(L"Unable to allocate variable buffer\n"); - return EFI_OUT_OF_RESOURCES; - } - - efi_status = uefi_call_wrapper(RT->GetVariable, 5, name, &guid, - attributes, size, *buffer); - - return efi_status; -} - /* * Perform basic bounds checking of the intra-image pointers */ @@ -270,15 +245,14 @@ static CHECK_STATUS check_db_cert(CHAR16 *dbname, EFI_GUID guid, EFI_STATUS efi_status; EFI_SIGNATURE_LIST *CertList; UINTN dbsize = 0; - UINT32 attributes; - void *db; + UINT8 *db; - efi_status = get_variable(dbname, guid, &attributes, &dbsize, &db); + efi_status = get_variable(dbname, &db, &dbsize, guid); if (efi_status != EFI_SUCCESS) return VAR_NOT_FOUND; - CertList = db; + CertList = (EFI_SIGNATURE_LIST *)db; rc = check_db_cert_in_ram(CertList, dbsize, data, hash); @@ -336,17 +310,16 @@ static CHECK_STATUS check_db_hash(CHAR16 *dbname, EFI_GUID guid, UINT8 *data, { EFI_STATUS efi_status; EFI_SIGNATURE_LIST *CertList; - UINT32 attributes; UINTN dbsize = 0; - void *db; + UINT8 *db; - efi_status = get_variable(dbname, guid, &attributes, &dbsize, &db); + efi_status = get_variable(dbname, &db, &dbsize, guid); if (efi_status != EFI_SUCCESS) { return VAR_NOT_FOUND; } - CertList = db; + CertList = (EFI_SIGNATURE_LIST *)db; CHECK_STATUS rc = check_db_hash_in_ram(CertList, dbsize, data, SignatureSize, CertType); @@ -423,15 +396,16 @@ static BOOLEAN secure_mode (void) { EFI_STATUS status; EFI_GUID global_var = EFI_GLOBAL_VARIABLE; - UINTN charsize = sizeof(char); + UINTN len; + UINT8 *Data; UINT8 sb, setupmode; - UINT32 attributes; if (insecure_mode) return FALSE; - status = get_variable(L"SecureBoot", global_var, &attributes, &charsize, - (void *)&sb); + status = get_variable(L"SecureBoot", &Data, &len, global_var); + sb = *Data; + FreePool(Data); /* FIXME - more paranoia here? */ if (status != EFI_SUCCESS || sb != 1) { @@ -440,8 +414,9 @@ static BOOLEAN secure_mode (void) return FALSE; } - status = get_variable(L"SetupMode", global_var, &attributes, &charsize, - (void *)&setupmode); + status = get_variable(L"SetupMode", &Data, &len, global_var); + setupmode = *Data; + FreePool(Data); if (status == EFI_SUCCESS && setupmode == 1) { if (verbose) @@ -629,12 +604,12 @@ done: static EFI_STATUS verify_mok (void) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS status = EFI_SUCCESS; - void *MokListData = NULL; + UINT8 *MokListData = NULL; UINTN MokListDataSize = 0; UINT32 attributes; - status = get_variable(L"MokList", shim_lock_guid, &attributes, - &MokListDataSize, &MokListData); + status = get_variable_attr(L"MokList", &MokListData, &MokListDataSize, + shim_lock_guid, &attributes); if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) { Print(L"MokList is compromised!\nErase all keys in MokList!\n"); @@ -1325,12 +1300,10 @@ EFI_STATUS mirror_mok_list() { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; - UINT32 attributes; - void *Data = NULL; + UINT8 *Data = NULL; UINTN DataSize = 0; - efi_status = get_variable(L"MokList", shim_lock_guid, &attributes, - &DataSize, &Data); + efi_status = get_variable(L"MokList", &Data, &DataSize, shim_lock_guid); if (efi_status != EFI_SUCCESS) { goto done; @@ -1400,12 +1373,12 @@ static EFI_STATUS check_mok_sb (void) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS status = EFI_SUCCESS; - void *MokSBState = NULL; + UINT8 *MokSBState = NULL; UINTN MokSBStateSize = 0; UINT32 attributes; - status = get_variable(L"MokSBState", shim_lock_guid, &attributes, - &MokSBStateSize, &MokSBState); + status = get_variable_attr(L"MokSBState", &MokSBState, &MokSBStateSize, + shim_lock_guid, &attributes); if (status != EFI_SUCCESS) return EFI_ACCESS_DENIED; @@ -1517,7 +1490,6 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) EFI_STATUS efi_status; UINT8 verbose_check; UINTN verbose_check_size; - UINT32 attributes; EFI_GUID global_var = EFI_GLOBAL_VARIABLE; /* @@ -1536,8 +1508,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) InitializeLib(image_handle, systab); verbose_check_size = 1; - efi_status = get_variable(L"SHIM_VERBOSE", global_var, &attributes, - &verbose_check_size, (void *)&verbose_check); + efi_status = get_variable(L"SHIM_VERBOSE", (void *)&verbose_check, + &verbose_check_size, global_var); if (!EFI_ERROR(efi_status)) verbose = verbose_check; From 6d6aff1bab14ccdf4b4efe14a5fd2115b2c1e838 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 26 Sep 2013 11:58:02 -0400 Subject: [PATCH 051/163] Clean up tarballs in "make clean" Signed-off-by: Peter Jones --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 031e27f..39ca7bf 100644 --- a/Makefile +++ b/Makefile @@ -114,7 +114,7 @@ clean: $(MAKE) -C Cryptlib/OpenSSL clean $(MAKE) -C lib clean rm -rf $(TARGET) $(OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb - rm -f *.debug *.so *.efi + rm -f *.debug *.so *.efi *.tar.* GITTAG = $(VERSION) From 59dcd9d1b8c45027d9aa5a1958579ae9872df6c7 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 26 Sep 2013 11:58:03 -0400 Subject: [PATCH 052/163] integrate security override --- include/security_policy.h | 4 +- lib/Makefile | 2 +- lib/security_policy.c | 77 +++++++++------------------------------ shim.c | 11 ++++++ 4 files changed, 33 insertions(+), 61 deletions(-) diff --git a/include/security_policy.h b/include/security_policy.h index a1c1002..b0109ce 100644 --- a/include/security_policy.h +++ b/include/security_policy.h @@ -1,5 +1,7 @@ +typedef EFI_STATUS (*SecurityHook) (void *data, UINT32 len); + EFI_STATUS -security_policy_install(void); +security_policy_install(SecurityHook authentication); EFI_STATUS security_policy_uninstall(void); void diff --git a/lib/Makefile b/lib/Makefile index e85c1fd..c1b9ab3 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -1,6 +1,6 @@ TARGET = lib.a -LIBFILES = simple_file.o guid.o console.o execute.o configtable.o shell.o variables.o +LIBFILES = simple_file.o guid.o console.o execute.o configtable.o shell.o variables.o security_policy.o ARCH = $(shell uname -m | sed s,i[3456789]86,ia32,) diff --git a/lib/security_policy.c b/lib/security_policy.c index e7becbf..f1b0842 100644 --- a/lib/security_policy.c +++ b/lib/security_policy.c @@ -10,7 +10,6 @@ #include #include -#include #include #include #include @@ -50,59 +49,7 @@ struct _EFI_SECURITY_PROTOCOL { static UINT8 *security_policy_esl = NULL; static UINTN security_policy_esl_len; - -static EFI_STATUS -security_policy_check_mok(void *data, UINTN len) -{ - EFI_STATUS status; - UINT8 hash[SHA256_DIGEST_SIZE]; - UINT32 attr; - UINT8 *VarData; - UINTN VarLen; - - /* first check is MokSBState. If we're in insecure mode, boot - * anyway regardless of dbx contents */ - status = get_variable_attr(L"MokSBState", &VarData, &VarLen, - MOK_OWNER, &attr); - if (status == EFI_SUCCESS) { - UINT8 MokSBState = VarData[0]; - - FreePool(VarData); - if ((attr & EFI_VARIABLE_RUNTIME_ACCESS) == 0 - && MokSBState) - return EFI_SUCCESS; - } - - status = sha256_get_pecoff_digest_mem(data, len, hash); - if (status != EFI_SUCCESS) - return status; - - if (find_in_variable_esl(L"dbx", SIG_DB, hash, SHA256_DIGEST_SIZE) - == EFI_SUCCESS) - /* MOK list cannot override dbx */ - return EFI_SECURITY_VIOLATION; - - status = get_variable_attr(L"MokList", &VarData, &VarLen, MOK_OWNER, - &attr); - if (status != EFI_SUCCESS) - goto check_tmplist; - - FreePool(VarData); - - if (attr & EFI_VARIABLE_RUNTIME_ACCESS) - goto check_tmplist; - - if (find_in_variable_esl(L"MokList", MOK_OWNER, hash, SHA256_DIGEST_SIZE) == EFI_SUCCESS) - return EFI_SUCCESS; - - check_tmplist: - if (security_policy_esl - && find_in_esl(security_policy_esl, security_policy_esl_len, hash, - SHA256_DIGEST_SIZE) == EFI_SUCCESS) - return EFI_SUCCESS; - - return EFI_SECURITY_VIOLATION; -} +static SecurityHook extra_check = NULL; static EFI_SECURITY_FILE_AUTHENTICATION_STATE esfas = NULL; static EFI_SECURITY2_FILE_AUTHENTICATION es2fa = NULL; @@ -143,7 +90,10 @@ security2_policy_authentication ( if (status == EFI_SUCCESS) return status; - auth = security_policy_check_mok(FileBuffer, FileSize); + if (extra_check) + auth = extra_check(FileBuffer, FileSize); + else + return EFI_SECURITY_VIOLATION; if (auth == EFI_SECURITY_VIOLATION || auth == EFI_ACCESS_DENIED) /* return previous status, which is the correct one @@ -202,7 +152,10 @@ security_policy_authentication ( if (status != EFI_SUCCESS) goto out; - status = security_policy_check_mok(FileBuffer, FileSize); + if (extra_check) + status = extra_check(FileBuffer, FileSize); + else + status = EFI_SECURITY_VIOLATION; FreePool(FileBuffer); if (status == EFI_ACCESS_DENIED || status == EFI_SECURITY_VIOLATION) @@ -307,7 +260,7 @@ asm ( ); EFI_STATUS -security_policy_install(void) +security_policy_install(SecurityHook hook) { EFI_SECURITY_PROTOCOL *security_protocol; EFI_SECURITY2_PROTOCOL *security2_protocol = NULL; @@ -325,8 +278,8 @@ security_policy_install(void) &security2_protocol); status = uefi_call_wrapper(BS->LocateProtocol, 3, - &SECURITY_PROTOCOL_GUID, NULL, - &security_protocol); + &SECURITY_PROTOCOL_GUID, NULL, + &security_protocol); if (status != EFI_SUCCESS) /* This one is mandatory, so there's a serious problem */ return status; @@ -341,6 +294,9 @@ security_policy_install(void) security_protocol->FileAuthenticationState = thunk_security_policy_authentication; + if (hook) + extra_check = hook; + return EFI_SUCCESS; } @@ -380,6 +336,9 @@ security_policy_uninstall(void) es2fa = NULL; } + if (extra_check) + extra_check = NULL; + return EFI_SUCCESS; } diff --git a/shim.c b/shim.c index c2d54c4..f644f3f 100644 --- a/shim.c +++ b/shim.c @@ -45,6 +45,7 @@ #include "guid.h" #include "variables.h" #include "efiauthenticated.h" +#include "security_policy.h" #define FALLBACK L"\\fallback.efi" #define MOK_MANAGER L"\\MokManager.efi" @@ -1537,6 +1538,11 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) &shim_lock_guid, EFI_NATIVE_INTERFACE, &shim_lock_interface); + /* + * Install the security protocol hook + */ + security_policy_install(shim_verify); + /* * Enter MokManager if necessary */ @@ -1560,6 +1566,11 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) uefi_call_wrapper(BS->UninstallProtocolInterface, 3, handle, &shim_lock_guid, &shim_lock_interface); + /* + * Clean up the security protocol hook + */ + security_policy_uninstall(); + /* * Free the space allocated for the alternative 2nd stage loader */ From 8317a1f0ada758d4e86f0503ff229a8f7b74ef75 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 26 Sep 2013 13:44:05 -0400 Subject: [PATCH 053/163] Don't use LibGetVariable(), since it doesn't give us real error codes. --- MokManager.c | 69 ++++++++++++++++++++++++++++++++-------------------- 1 file changed, 43 insertions(+), 26 deletions(-) diff --git a/MokManager.c b/MokManager.c index 805017b..7b7e150 100644 --- a/MokManager.c +++ b/MokManager.c @@ -1685,45 +1685,62 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) void *MokDel = NULL; void *MokSB = NULL; void *MokPW = NULL; + EFI_STATUS status; - MokNew = LibGetVariableAndSize(L"MokNew", &shim_lock_guid, &MokNewSize); + status = get_variable(L"MokNew", (UINT8 **)&MokNew, &MokNewSize, + shim_lock_guid); + if (status == EFI_SUCCESS) { + if (LibDeleteVariable(L"MokNew", &shim_lock_guid) != EFI_SUCCESS) { + console_notify(L"Failed to delete MokNew"); + } + } else if (EFI_ERROR(status) && status != EFI_NOT_FOUND) { + console_error(L"Could not retrieve MokNew", status); + } - MokDel = LibGetVariableAndSize(L"MokDel", &shim_lock_guid, &MokDelSize); + status = get_variable(L"MokDel", (UINT8 **)&MokDel, &MokDelSize, + shim_lock_guid); + if (status == EFI_SUCCESS) { + if (LibDeleteVariable(L"MokDel", &shim_lock_guid) != EFI_SUCCESS) { + console_notify(L"Failed to delete MokDel"); + } + } else if (EFI_ERROR(status) && status != EFI_NOT_FOUND) { + console_error(L"Could not retrieve MokDel", status); + } - MokSB = LibGetVariableAndSize(L"MokSB", &shim_lock_guid, &MokSBSize); + status = get_variable(L"MokSB", (UINT8 **)&MokSB, &MokSBSize, + shim_lock_guid); + if (status == EFI_SUCCESS) { + if (LibDeleteVariable(L"MokSB", &shim_lock_guid) != EFI_SUCCESS) { + console_notify(L"Failed to delete MokSB"); + } + } else if (EFI_ERROR(status) && status != EFI_NOT_FOUND) { + console_error(L"Could not retrieve MokSB", status); + } - MokPW = LibGetVariableAndSize(L"MokPW", &shim_lock_guid, &MokPWSize); + status = get_variable(L"MokPW", (UINT8 **)&MokPW, &MokPWSize, + shim_lock_guid); + if (status == EFI_SUCCESS) { + if (LibDeleteVariable(L"MokPW", &shim_lock_guid) != EFI_SUCCESS) { + console_notify(L"Failed to delete MokPW"); + } + } else if (EFI_ERROR(status) && status != EFI_NOT_FOUND) { + console_error(L"Could not retrieve MokPW", status); + } enter_mok_menu(image_handle, MokNew, MokNewSize, MokDel, MokDelSize, MokSB, MokSBSize, MokPW, MokPWSize); - if (MokNew) { - if (LibDeleteVariable(L"MokNew", &shim_lock_guid) != EFI_SUCCESS) { - console_notify(L"Failed to delete MokNew"); - } + if (MokNew) FreePool (MokNew); - } - if (MokDel) { - if (LibDeleteVariable(L"MokDel", &shim_lock_guid) != EFI_SUCCESS) { - console_notify(L"Failed to delete MokDel"); - } + if (MokDel) FreePool (MokDel); - } - if (MokSB) { - if (LibDeleteVariable(L"MokSB", &shim_lock_guid) != EFI_SUCCESS) { - console_notify(L"Failed to delete MokSB"); - } - FreePool (MokNew); - } + if (MokSB) + FreePool (MokSB); - if (MokPW) { - if (LibDeleteVariable(L"MokPW", &shim_lock_guid) != EFI_SUCCESS) { - console_notify(L"Failed to delete MokPW"); - } - FreePool (MokNew); - } + if (MokPW) + FreePool (MokPW); LibDeleteVariable(L"MokAuth", &shim_lock_guid); LibDeleteVariable(L"MokDelAuth", &shim_lock_guid); From 2efb269ba6d1aaa40d6366aa3250031012bbe6d0 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 1 Oct 2013 14:03:16 -0400 Subject: [PATCH 054/163] Remove TODO items fixed by merging lf_merge and lcp/lf-security-override. Signed-off-by: Peter Jones --- TODO | 6 ------ 1 file changed, 6 deletions(-) diff --git a/TODO b/TODO index a18f600..c2809ab 100644 --- a/TODO +++ b/TODO @@ -14,12 +14,6 @@ MokListRT signing: in the kernel boot stub instead, just because it'll need an ephemeral key to be generated, and that means we need some entropy to build up. -Better ui: -- Gary Lin at SuSE is working on better UI for MokManager. It - desperately needs it. -James's modification: -- We're merging James Bottomley's hack to make shim use unpublished - system crypto services, as a compile time option. New security protocol: - TBD kexec MoK Management: From a1f2863584ef780eb0f974efe226f1c2524db681 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 1 Oct 2013 14:03:16 -0400 Subject: [PATCH 055/163] Make vendor_cert/vendor_dbx actually replaceable by an external tool. This moves them both to be computed at runtime from a pointer+offset rather than just a pointer, so that their real address can be entirely derived from the section they're in. This means you can replace the whole .vendor_cert section with a new one with certs that don't have the same size. --- Makefile | 3 -- cert.S | 95 +++++++++++++++++++++++++++++++++++++------------------- dbx.S | 36 --------------------- shim.c | 20 +++++++++--- 4 files changed, 79 insertions(+), 75 deletions(-) delete mode 100644 dbx.S diff --git a/Makefile b/Makefile index 39ca7bf..6f4adf1 100644 --- a/Makefile +++ b/Makefile @@ -68,9 +68,6 @@ shim.o: $(SOURCES) shim_cert.h cert.o : cert.S $(CC) $(CFLAGS) -c -o $@ $< -dbx.o : dbx.S - $(CC) $(CFLAGS) -c -o $@ $< - shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) diff --git a/cert.S b/cert.S index 66a05b8..3cfd665 100644 --- a/cert.S +++ b/cert.S @@ -1,36 +1,67 @@ + .globl cert_table + .data + .align 16 + .type cert_table, @object + .size cert_table, 4 + .section .vendor_cert, "a", @progbits +cert_table: #if defined(VENDOR_CERT_FILE) - .globl vendor_cert_size - .data - .align 1 - .type vendor_cert_size, @object - .size vendor_cert_size, 4 - .section .vendor_cert, "a", @progbits -vendor_cert_size: - .long .L0 - vendor_cert - .globl vendor_cert - .data - .align 1 - .type vendor_cert, @object - .size vendor_cert, .L0-vendor_cert - .section .vendor_cert, "a", @progbits -vendor_cert: -.incbin VENDOR_CERT_FILE -.L0: + .long vendor_cert_priv_end - vendor_cert_priv #else - .globl vendor_cert - .bss - .type vendor_cert, @object - .size vendor_cert, 1 - .section .vendor_cert, "a", @progbits -vendor_cert: - .zero 1 - - .globl vendor_cert_size - .data - .align 4 - .type vendor_cert_size, @object - .size vendor_cert_size, 4 - .section .vendor_cert, "a", @progbits -vendor_cert_size: .long 0 #endif +#if defined(VENDOR_DBX_FILE) + .long vendor_dbx_priv_end - vendor_dbx_priv +#else + .long 0 +#endif + .long vendor_cert_priv - cert_table + .long vendor_dbx_priv - cert_table +#if defined(VENDOR_CERT_FILE) + .data + .align 1 + .type vendor_cert_priv, @object + .size vendor_cert_priv, vendor_cert_priv_end-vendor_cert_priv + .section .vendor_cert, "a", @progbits +vendor_cert_priv: +.incbin VENDOR_CERT_FILE +vendor_cert_priv_end: +#else + .bss + .type vendor_cert_priv, @object + .size vendor_cert_priv, 1 + .section .vendor_cert, "a", @progbits +vendor_cert_priv: + .zero 1 + + .data + .align 4 + .type vendor_cert_size_priv, @object + .size vendor_cert_size_priv, 4 + .section .vendor_cert, "a", @progbits +vendor_cert_priv_end: +#endif +#if defined(VENDOR_DBX_FILE) + .data + .align 1 + .type vendor_dbx_priv, @object + .size vendor_dbx_priv, vendor_dbx_priv_end-vendor_dbx_priv + .section .vendor_cert, "a", @progbits +vendor_dbx_priv: +.incbin VENDOR_DBX_FILE +vendor_dbx_priv_end: +#else + .bss + .type vendor_dbx_priv, @object + .size vendor_dbx_priv, 1 + .section .vendor_cert, "a", @progbits +vendor_dbx_priv: + .zero 1 + + .data + .align 4 + .type vendor_dbx_size_priv, @object + .size vendor_dbx_size_priv, 4 + .section .vendor_cert, "a", @progbits +vendor_dbx_priv_end: +#endif diff --git a/dbx.S b/dbx.S deleted file mode 100644 index 7b19c5c..0000000 --- a/dbx.S +++ /dev/null @@ -1,36 +0,0 @@ -#if defined(VENDOR_DBX_FILE) - .globl vendor_dbx_size - .data - .align 1 - .type vendor_dbx_size, @object - .size vendor_dbx_size, 4 - .section .vendor_cert, "a", @progbits -vendor_dbx_size: - .long .L0 - vendor_dbx - .globl vendor_dbx - .data - .align 1 - .type vendor_dbx, @object - .size vendor_dbx, .L0-vendor_dbx - .section .vendor_cert, "a", @progbits -vendor_dbx: -.incbin VENDOR_DBX_FILE -.L0: -#else - .globl vendor_dbx - .bss - .type vendor_dbx, @object - .size vendor_dbx, 1 - .section .vendor_cert, "a", @progbits -vendor_dbx: - .zero 1 - - .globl vendor_dbx_size - .data - .align 4 - .type vendor_dbx_size, @object - .size vendor_dbx_size, 4 - .section .vendor_cert, "a", @progbits -vendor_dbx_size: - .long 0 -#endif diff --git a/shim.c b/shim.c index f644f3f..a923e7e 100644 --- a/shim.c +++ b/shim.c @@ -63,10 +63,17 @@ EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, /* * The vendor certificate used for validating the second stage loader */ -extern UINT8 vendor_cert[]; -extern UINT32 vendor_cert_size; -extern UINT8 vendor_dbx[]; -extern UINT32 vendor_dbx_size; +extern struct { + UINT32 vendor_cert_size; + UINT32 vendor_dbx_size; + UINT32 vendor_cert_offset; + UINT32 vendor_dbx_offset; +} cert_table; + +UINT32 vendor_cert_size; +UINT32 vendor_dbx_size; +UINT8 *vendor_cert; +UINT8 *vendor_dbx; #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }} @@ -1493,6 +1500,11 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) UINTN verbose_check_size; EFI_GUID global_var = EFI_GLOBAL_VARIABLE; + vendor_cert_size = cert_table.vendor_cert_size; + vendor_dbx_size = cert_table.vendor_dbx_size; + vendor_cert = (UINT8 *)&cert_table + cert_table.vendor_cert_offset; + vendor_dbx = (UINT8 *)&cert_table + cert_table.vendor_dbx_offset; + /* * Set up the shim lock protocol so that grub and MokManager can * call back in and use shim functions From cbef697a96d9fcd7e0949e4cf772955b32a92290 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 1 Oct 2013 14:03:16 -0400 Subject: [PATCH 056/163] Harden shim against non-participating bootloaders. It works like this: during startup of shim, we hook into the system's ExitBootServices() and StartImage(). If the system's StartImage() is called, we automatically unhook, because we're chainloading to something the system can verify. When shim's verify is called, we record what kind of certificate the image was verified against. If the call /succeeds/, we remove our hooks. If ExitBootServices() is called, we check how the bootloader verified whatever it is loading. If it was verified by its hash, we unhook everything and call the system's EBS(). If it was verified by certificate, we check if it has called shim_verify(). If it has, we unhook everything and call the system's EBS() If the bootloader has not verified anything, and is itself verified by a certificate, we display a security violation warning and halt the machine. --- Makefile | 6 +- TODO | 4 -- replacements.c | 147 +++++++++++++++++++++++++++++++++++++++++++++++++ replacements.h | 43 +++++++++++++++ shim.c | 54 ++++++++++++++++-- 5 files changed, 241 insertions(+), 13 deletions(-) create mode 100644 replacements.c create mode 100644 replacements.h diff --git a/Makefile b/Makefile index 6f4adf1..1752ef5 100644 --- a/Makefile +++ b/Makefile @@ -17,7 +17,7 @@ EFI_LDS = elf_$(ARCH)_efi.lds DEFAULT_LOADER := \\\\grub.efi CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ -fshort-wchar -Wall -Werror -mno-red-zone -maccumulate-outgoing-args \ - -mno-mmx -mno-sse \ + -mno-mmx -mno-sse -fno-builtin \ "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \ $(EFI_INCLUDES) @@ -36,9 +36,9 @@ LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH VERSION = 0.4 TARGET = shim.efi MokManager.efi.signed fallback.efi.signed -OBJS = shim.o netboot.o cert.o dbx.o +OBJS = shim.o netboot.o cert.o replacements.o KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key -SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h +SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h replacements.c replacements.h MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o MOK_SOURCES = MokManager.c shim.h console_control.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h FALLBACK_OBJS = fallback.o diff --git a/TODO b/TODO index c2809ab..4694676 100644 --- a/TODO +++ b/TODO @@ -1,7 +1,3 @@ -Hardening startimage: -- Don't allow non-participating bootloaders/kernels to call - ExitBootServices(), but trap in StartImage() so we can let them do - that. Versioned protocol: - Make shim and the bootloaders using it express how enlightened they are to one another, so we can stop earlier without tricks like diff --git a/replacements.c b/replacements.c new file mode 100644 index 0000000..b05b220 --- /dev/null +++ b/replacements.c @@ -0,0 +1,147 @@ +/* + * shim - trivial UEFI first-stage bootloader + * + * Copyright 2012 Red Hat, Inc + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + * Significant portions of this code are derived from Tianocore + * (http://tianocore.sf.net) and are Copyright 2009-2012 Intel + * Corporation. + */ + +/* Chemical agents lend themselves to covert use in sabotage against + * which it is exceedingly difficult to visualize any really effective + * defense... I will not dwell upon this use of CBW because, as one + * pursues the possibilities of such covert uses, one discovers that the + * scenarios resemble that in which the components of a nuclear weapon + * are smuggled into New York City and assembled in the basement of the + * Empire State Building. + * In other words, once the possibility is recognized to exist, about + * all that one can do is worry about it. + * -- Dr. Ivan L Bennett, Jr., testifying before the Subcommittee on + * National Security Policy and Scientific Developments, November 20, + * 1969. + */ + +#include +#include +#include +#include "shim.h" +#include "replacements.h" + +/* oh for fuck's sakes.*/ +#ifndef EFI_SECURITY_VIOLATION +#define EFI_SECURITY_VIOLATION 26 +#endif + +static EFI_SYSTEM_TABLE *systab; + +static typeof(systab->BootServices->StartImage) system_start_image; +static typeof(systab->BootServices->Exit) system_exit; +static typeof(systab->BootServices->ExitBootServices) system_exit_boot_services; + +extern UINT8 insecure_mode; + +static void +unhook_system_services(void) +{ + if (insecure_mode) + return; + systab->BootServices->Exit = system_exit; + systab->BootServices->StartImage = system_start_image; + systab->BootServices->ExitBootServices = system_exit_boot_services; +} + +static EFI_STATUS EFIAPI +start_image(EFI_HANDLE image_handle, UINTN *exit_data_size, CHAR16 **exit_data) +{ + EFI_STATUS status; + unhook_system_services(); + status = systab->BootServices->StartImage(image_handle, exit_data_size, exit_data); + if (EFI_ERROR(status)) + hook_system_services(systab); + return status; +} + +static EFI_STATUS EFIAPI +exit_boot_services(EFI_HANDLE image_key, UINTN map_key) +{ + if (loader_is_participating || verification_method == VERIFIED_BY_HASH) { + unhook_system_services(); + EFI_STATUS status; + status = systab->BootServices->ExitBootServices(image_key, map_key); + if (status != EFI_SUCCESS) + hook_system_services(systab); + return status; + } + + Print(L"Bootloader has not verified loaded image.\n"); + Print(L"System is compromised. halting.\n"); + systab->BootServices->Stall(5000000); + systab->RuntimeServices->ResetSystem(EfiResetShutdown, EFI_SECURITY_VIOLATION, 0, NULL); + return EFI_SECURITY_VIOLATION; +} + +static EFI_STATUS EFIAPI +exit(EFI_HANDLE ImageHandle, EFI_STATUS ExitStatus, + UINTN ExitDataSize, CHAR16 *ExitData) +{ + EFI_STATUS status; + unhook_system_services(); + + status = systab->BootServices->Exit(ImageHandle, ExitStatus, ExitDataSize, ExitData); + if (EFI_ERROR(status)) + hook_system_services(systab); + return status; +} + + +void +hook_system_services(EFI_SYSTEM_TABLE *local_systab) +{ + if (insecure_mode) + return; + systab = local_systab; + + /* We need to hook various calls to make this work... */ + + /* we need StartImage() so that we can allow chain booting to an + * image trusted by the firmware */ + system_start_image = systab->BootServices->StartImage; + systab->BootServices->StartImage = start_image; + + /* we need to hook ExitBootServices() so a) we can enforce the policy + * and b) we can unwrap when we're done. */ + system_exit_boot_services = systab->BootServices->ExitBootServices; + systab->BootServices->ExitBootServices = exit_boot_services; + + /* we need to hook Exit() so that we can allow users to quit the + * bootloader and still e.g. start a new one or run an internal + * shell. */ + system_exit = systab->BootServices->Exit; + systab->BootServices->Exit = exit; +} diff --git a/replacements.h b/replacements.h new file mode 100644 index 0000000..806c038 --- /dev/null +++ b/replacements.h @@ -0,0 +1,43 @@ +/* + * Copyright 2013 Red Hat, Inc + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ +#ifndef SHIM_REPLACEMENTS_H +#define SHIM_REPLACEMENTS_H 1 + +typedef enum { + VERIFIED_BY_NOTHING, + VERIFIED_BY_CERT, + VERIFIED_BY_HASH +} verification_method_t; + +extern verification_method_t verification_method; +extern int loader_is_participating; + +extern void hook_system_services(EFI_SYSTEM_TABLE *local_systab); + +#endif /* SHIM_REPLACEMENTS_H */ diff --git a/shim.c b/shim.c index a923e7e..aaf2fc4 100644 --- a/shim.c +++ b/shim.c @@ -40,6 +40,7 @@ #include "shim.h" #include "netboot.h" #include "shim_cert.h" +#include "replacements.h" #include "ucs2.h" #include "guid.h" @@ -75,9 +76,15 @@ UINT32 vendor_dbx_size; UINT8 *vendor_cert; UINT8 *vendor_dbx; +/* + * indicator of how an image has been verified + */ +verification_method_t verification_method; +int loader_is_participating; + #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }} -static UINT8 insecure_mode; +UINT8 insecure_mode; typedef enum { DATA_FOUND, @@ -370,6 +377,12 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert, return EFI_SUCCESS; } +static void update_verification_method(verification_method_t method) +{ + if (verification_method == VERIFIED_BY_NOTHING) + verification_method = method; +} + /* * Check whether the binary signature or hash are present in db or MokList */ @@ -380,19 +393,34 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert, EFI_GUID shim_var = SHIM_LOCK_GUID; if (check_db_hash(L"db", secure_var, sha256hash, SHA256_DIGEST_SIZE, - EFI_CERT_SHA256_GUID) == DATA_FOUND) + EFI_CERT_SHA256_GUID) == DATA_FOUND) { + update_verification_method(VERIFIED_BY_HASH); return EFI_SUCCESS; + } if (check_db_hash(L"db", secure_var, sha1hash, SHA1_DIGEST_SIZE, - EFI_CERT_SHA1_GUID) == DATA_FOUND) + EFI_CERT_SHA1_GUID) == DATA_FOUND) { + verification_method = VERIFIED_BY_HASH; + update_verification_method(VERIFIED_BY_HASH); return EFI_SUCCESS; + } if (check_db_hash(L"MokList", shim_var, sha256hash, SHA256_DIGEST_SIZE, - EFI_CERT_SHA256_GUID) == DATA_FOUND) + EFI_CERT_SHA256_GUID) == DATA_FOUND) { + verification_method = VERIFIED_BY_HASH; + update_verification_method(VERIFIED_BY_HASH); return EFI_SUCCESS; - if (check_db_cert(L"db", secure_var, cert, sha256hash) == DATA_FOUND) + } + if (check_db_cert(L"db", secure_var, cert, sha256hash) == DATA_FOUND) { + verification_method = VERIFIED_BY_CERT; + update_verification_method(VERIFIED_BY_CERT); return EFI_SUCCESS; - if (check_db_cert(L"MokList", shim_var, cert, sha256hash) == DATA_FOUND) + } + if (check_db_cert(L"MokList", shim_var, cert, sha256hash) == DATA_FOUND) { + verification_method = VERIFIED_BY_CERT; + update_verification_method(VERIFIED_BY_CERT); return EFI_SUCCESS; + } + update_verification_method(VERIFIED_BY_NOTHING); return EFI_ACCESS_DENIED; } @@ -1169,6 +1197,8 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size) EFI_STATUS status; PE_COFF_LOADER_IMAGE_CONTEXT context; + loader_is_participating = 1; + if (!secure_mode()) return EFI_SUCCESS; @@ -1262,6 +1292,8 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) goto done; } + loader_is_participating = 0; + /* * The binary is trusted and relocated. Run it */ @@ -1391,6 +1423,8 @@ static EFI_STATUS check_mok_sb (void) if (status != EFI_SUCCESS) return EFI_ACCESS_DENIED; + insecure_mode = 0; + /* * Delete and ignore the variable if it's been set from or could be * modified by the OS @@ -1500,6 +1534,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) UINTN verbose_check_size; EFI_GUID global_var = EFI_GLOBAL_VARIABLE; + verification_method = VERIFIED_BY_NOTHING; + vendor_cert_size = cert_table.vendor_cert_size; vendor_dbx_size = cert_table.vendor_dbx_size; vendor_cert = (UINT8 *)&cert_table + cert_table.vendor_cert_offset; @@ -1541,6 +1577,12 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) if (insecure_mode) { Print(L"Booting in insecure mode\n"); uefi_call_wrapper(BS->Stall, 1, 2000000); + } else { + /* + * Install our hooks for ExitBootServices() and StartImage() + */ + hook_system_services(systab); + loader_is_participating = 0; } /* From 4185c7d67eebb2ce64acaeed559c1ecce785f9cc Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 1 Oct 2013 14:03:16 -0400 Subject: [PATCH 057/163] Include shim's vendor_cert in MokListRT There needs to be some way to communicate to the kernel that it's a trusted key, and since this mechanism already exists, it's by far the easiest. --- TODO | 2 -- shim.c | 42 ++++++++++++++++++++++++++++++++++++++---- 2 files changed, 38 insertions(+), 6 deletions(-) diff --git a/TODO b/TODO index 4694676..fe50e50 100644 --- a/TODO +++ b/TODO @@ -2,8 +2,6 @@ Versioned protocol: - Make shim and the bootloaders using it express how enlightened they are to one another, so we can stop earlier without tricks like the one above -MokListRT containing shim key: -- MokListRT has to contain the shim key... MokListRT signing: - For kexec and hybernate to work right, MokListRT probably needs to be an authenticated variable. It's probable this needs to be done diff --git a/shim.c b/shim.c index aaf2fc4..8c4ef65 100644 --- a/shim.c +++ b/shim.c @@ -1342,23 +1342,57 @@ EFI_STATUS mirror_mok_list() EFI_STATUS efi_status; UINT8 *Data = NULL; UINTN DataSize = 0; + void *FullData = NULL; + UINTN FullDataSize = 0; + EFI_SIGNATURE_LIST *CertList = NULL; + EFI_SIGNATURE_DATA *CertData = NULL; + uint8_t *p = NULL; efi_status = get_variable(L"MokList", &Data, &DataSize, shim_lock_guid); + if (efi_status != EFI_SUCCESS) + DataSize = 0; - if (efi_status != EFI_SUCCESS) { - goto done; + FullDataSize = DataSize + + sizeof (*CertList) + + sizeof (EFI_GUID) + + vendor_cert_size + ; + FullData = AllocatePool(FullDataSize); + if (!FullData) { + Print(L"Failed to allocate space for MokListRT\n"); + return EFI_OUT_OF_RESOURCES; } + p = FullData; + + if (efi_status == EFI_SUCCESS && DataSize > 0) { + CopyMem(p, Data, DataSize); + p += DataSize; + } + CertList = (EFI_SIGNATURE_LIST *)p; + p += sizeof (*CertList); + CertData = (EFI_SIGNATURE_DATA *)p; + p += sizeof (EFI_GUID); + + CertList->SignatureType = EFI_CERT_X509_GUID; + CertList->SignatureListSize = vendor_cert_size + + sizeof (*CertList) + + sizeof (*CertData) + -1; + CertList->SignatureHeaderSize = 0; + CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID); + + CertData->SignatureOwner = SHIM_LOCK_GUID; + CopyMem(p, vendor_cert, vendor_cert_size); efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListRT", &shim_lock_guid, EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, - DataSize, Data); + FullDataSize, FullData); if (efi_status != EFI_SUCCESS) { Print(L"Failed to set MokListRT %d\n", efi_status); } -done: return efi_status; } From 124a3c208e621da276d8236992503a4fd4740eb5 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 1 Oct 2013 14:03:16 -0400 Subject: [PATCH 058/163] MokManager needs to disable the graphics console. Without this patch, on some machines we never see MokManager's UI. This protocol has never (I think?) been officially published, and yet I still have new hardware that needs it. If you're looking for a reference, look at: EdkCompatibilityPkg/Foundation/Protocol/ConsoleControl/ConsoleControl.c in the edk2 tree from Tiano. Signed-off-by: Peter Jones --- MokManager.c | 1 + 1 file changed, 1 insertion(+) diff --git a/MokManager.c b/MokManager.c index 7b7e150..5e9321a 100644 --- a/MokManager.c +++ b/MokManager.c @@ -6,6 +6,7 @@ #include "shim.h" #include "PeImage.h" #include "PasswordCrypt.h" +#include "console_control.h" #include "guid.h" #include "console.h" From bc71a15ed5d1912075f8c48be0243fdb1d35ac88 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 1 Oct 2013 14:03:16 -0400 Subject: [PATCH 059/163] Make verbose stuff use console_notify Signed-off-by: Peter Jones --- Makefile | 4 +-- MokManager.c | 29 ----------------- .../console_control.h | 2 ++ lib/Makefile | 2 +- lib/console_control.c | 32 +++++++++++++++++++ shim.c | 16 +++++++--- 6 files changed, 48 insertions(+), 37 deletions(-) rename console_control.h => include/console_control.h (97%) create mode 100644 lib/console_control.c diff --git a/Makefile b/Makefile index 1752ef5..40103eb 100644 --- a/Makefile +++ b/Makefile @@ -38,9 +38,9 @@ VERSION = 0.4 TARGET = shim.efi MokManager.efi.signed fallback.efi.signed OBJS = shim.o netboot.o cert.o replacements.o KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key -SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h replacements.c replacements.h +SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h include/console_control.h MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o -MOK_SOURCES = MokManager.c shim.h console_control.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h +MOK_SOURCES = MokManager.c shim.h include/console_control.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h FALLBACK_OBJS = fallback.o FALLBACK_SRCS = fallback.c diff --git a/MokManager.c b/MokManager.c index 5e9321a..5d86e33 100644 --- a/MokManager.c +++ b/MokManager.c @@ -6,7 +6,6 @@ #include "shim.h" #include "PeImage.h" #include "PasswordCrypt.h" -#include "console_control.h" #include "guid.h" #include "console.h" @@ -1749,34 +1748,6 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) return EFI_SUCCESS; } -static VOID setup_console (int text) -{ - EFI_STATUS status; - EFI_GUID console_control_guid = EFI_CONSOLE_CONTROL_PROTOCOL_GUID; - EFI_CONSOLE_CONTROL_PROTOCOL *concon; - static EFI_CONSOLE_CONTROL_SCREEN_MODE mode = - EfiConsoleControlScreenGraphics; - EFI_CONSOLE_CONTROL_SCREEN_MODE new_mode; - - status = LibLocateProtocol(&console_control_guid, (VOID **)&concon); - if (status != EFI_SUCCESS) - return; - - if (text) { - new_mode = EfiConsoleControlScreenText; - - status = uefi_call_wrapper(concon->GetMode, 4, concon, &mode, - 0, 0); - /* If that didn't work, assume it's graphics */ - if (status != EFI_SUCCESS) - mode = EfiConsoleControlScreenGraphics; - } else { - new_mode = mode; - } - - uefi_call_wrapper(concon->SetMode, 2, concon, new_mode); -} - static EFI_STATUS setup_rand (void) { EFI_TIME time; diff --git a/console_control.h b/include/console_control.h similarity index 97% rename from console_control.h rename to include/console_control.h index 5fb8a4a..aec6f41 100644 --- a/console_control.h +++ b/include/console_control.h @@ -41,4 +41,6 @@ struct _EFI_CONSOLE_CONTROL_PROTOCOL { EFI_CONSOLE_CONTROL_PROTOCOL_LOCK_STD_IN LockStdIn; }; +extern VOID setup_console (int text); + #endif /* _SHIM_CONSOLE_CONTROL_H */ diff --git a/lib/Makefile b/lib/Makefile index c1b9ab3..f2b9091 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -1,6 +1,6 @@ TARGET = lib.a -LIBFILES = simple_file.o guid.o console.o execute.o configtable.o shell.o variables.o security_policy.o +LIBFILES = simple_file.o guid.o console.o execute.o configtable.o shell.o variables.o security_policy.o console_control.o ARCH = $(shell uname -m | sed s,i[3456789]86,ia32,) diff --git a/lib/console_control.c b/lib/console_control.c new file mode 100644 index 0000000..604a60f --- /dev/null +++ b/lib/console_control.c @@ -0,0 +1,32 @@ +#include +#include + +#include "console_control.h" + +VOID setup_console (int text) +{ + EFI_STATUS status; + EFI_GUID console_control_guid = EFI_CONSOLE_CONTROL_PROTOCOL_GUID; + EFI_CONSOLE_CONTROL_PROTOCOL *concon; + static EFI_CONSOLE_CONTROL_SCREEN_MODE mode = + EfiConsoleControlScreenGraphics; + EFI_CONSOLE_CONTROL_SCREEN_MODE new_mode; + + status = LibLocateProtocol(&console_control_guid, (VOID **)&concon); + if (status != EFI_SUCCESS) + return; + + if (text) { + new_mode = EfiConsoleControlScreenText; + + status = uefi_call_wrapper(concon->GetMode, 4, concon, &mode, + 0, 0); + /* If that didn't work, assume it's graphics */ + if (status != EFI_SUCCESS) + mode = EfiConsoleControlScreenGraphics; + } else { + new_mode = mode; + } + + uefi_call_wrapper(concon->SetMode, 2, concon, new_mode); +} diff --git a/shim.c b/shim.c index 8c4ef65..a72e091 100644 --- a/shim.c +++ b/shim.c @@ -43,10 +43,12 @@ #include "replacements.h" #include "ucs2.h" +#include "console_control.h" #include "guid.h" #include "variables.h" #include "efiauthenticated.h" #include "security_policy.h" +#include "console.h" #define FALLBACK L"\\fallback.efi" #define MOK_MANAGER L"\\MokManager.efi" @@ -446,7 +448,7 @@ static BOOLEAN secure_mode (void) /* FIXME - more paranoia here? */ if (status != EFI_SUCCESS || sb != 1) { if (verbose) - Print(L"Secure boot not enabled\n"); + console_notify(L"Secure boot not enabled\n"); return FALSE; } @@ -456,7 +458,7 @@ static BOOLEAN secure_mode (void) if (status == EFI_SUCCESS && setupmode == 1) { if (verbose) - Print(L"Platform is in setup mode\n"); + console_notify(L"Platform is in setup mode\n"); return FALSE; } @@ -720,7 +722,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, if (status == EFI_SUCCESS) { if (verbose) - Print(L"Binary is whitelisted\n"); + console_notify(L"Binary is whitelisted\n"); return status; } @@ -733,7 +735,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, SHA256_DIGEST_SIZE)) { status = EFI_SUCCESS; if (verbose) - Print(L"Binary is verified by the vendor certificate\n"); + console_notify(L"Binary is verified by the vendor certificate\n"); return status; } @@ -747,7 +749,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, SHA256_DIGEST_SIZE)) { status = EFI_SUCCESS; if (verbose) - Print(L"Binary is verified by the vendor certificate\n"); + console_notify(L"Binary is verified by the vendor certificate\n"); return status; } @@ -1590,6 +1592,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) */ InitializeLib(image_handle, systab); + setup_console(1); + verbose_check_size = 1; efi_status = get_variable(L"SHIM_VERBOSE", (void *)&verbose_check, &verbose_check_size, global_var); @@ -1665,5 +1669,7 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) if (load_options_size > 0) FreePool(second_stage); + setup_console(0); + return efi_status; } From 417077f8de33214b2942f5a6d8ff6af217b4f5dd Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 1 Oct 2013 14:03:16 -0400 Subject: [PATCH 060/163] Merge console_control.h and console.h Since these are topically the same thing, they can live together. Signed-off-by: Peter Jones --- Makefile | 4 ++-- MokManager.c | 1 - include/console.h | 47 +++++++++++++++++++++++++++++++++++++++ include/console_control.h | 46 -------------------------------------- lib/Makefile | 2 +- lib/console.c | 29 ++++++++++++++++++++++++ lib/console_control.c | 32 -------------------------- shim.c | 1 - 8 files changed, 79 insertions(+), 83 deletions(-) delete mode 100644 include/console_control.h delete mode 100644 lib/console_control.c diff --git a/Makefile b/Makefile index 40103eb..581be0a 100644 --- a/Makefile +++ b/Makefile @@ -38,9 +38,9 @@ VERSION = 0.4 TARGET = shim.efi MokManager.efi.signed fallback.efi.signed OBJS = shim.o netboot.o cert.o replacements.o KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key -SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h include/console_control.h +SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o -MOK_SOURCES = MokManager.c shim.h include/console_control.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h +MOK_SOURCES = MokManager.c shim.h include/console.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h FALLBACK_OBJS = fallback.o FALLBACK_SRCS = fallback.c diff --git a/MokManager.c b/MokManager.c index 5d86e33..de0eb59 100644 --- a/MokManager.c +++ b/MokManager.c @@ -2,7 +2,6 @@ #include #include #include -#include "console_control.h" #include "shim.h" #include "PeImage.h" #include "PasswordCrypt.h" diff --git a/include/console.h b/include/console.h index 7eb8a0b..d699d27 100644 --- a/include/console.h +++ b/include/console.h @@ -1,3 +1,6 @@ +#ifndef _SHIM_LIB_CONSOLE_H +#define _SHIM_LIB_CONSOLE_H 1 + EFI_INPUT_KEY console_get_keystroke(void); void @@ -19,3 +22,47 @@ console_notify(CHAR16 *string); void console_reset(void); #define NOSEL 0x7fffffff + +#define EFI_CONSOLE_CONTROL_PROTOCOL_GUID \ + { 0xf42f7782, 0x12e, 0x4c12, {0x99, 0x56, 0x49, 0xf9, 0x43, 0x4, 0xf7, 0x21} } + +typedef struct _EFI_CONSOLE_CONTROL_PROTOCOL EFI_CONSOLE_CONTROL_PROTOCOL; + +typedef enum { + EfiConsoleControlScreenText, + EfiConsoleControlScreenGraphics, + EfiConsoleControlScreenMaxValue +} EFI_CONSOLE_CONTROL_SCREEN_MODE; + +typedef +EFI_STATUS +(EFIAPI *EFI_CONSOLE_CONTROL_PROTOCOL_GET_MODE) ( + IN EFI_CONSOLE_CONTROL_PROTOCOL *This, + OUT EFI_CONSOLE_CONTROL_SCREEN_MODE *Mode, + OUT BOOLEAN *GopUgaExists, OPTIONAL + OUT BOOLEAN *StdInLocked OPTIONAL + ); + +typedef +EFI_STATUS +(EFIAPI *EFI_CONSOLE_CONTROL_PROTOCOL_SET_MODE) ( + IN EFI_CONSOLE_CONTROL_PROTOCOL *This, + IN EFI_CONSOLE_CONTROL_SCREEN_MODE Mode + ); + +typedef +EFI_STATUS +(EFIAPI *EFI_CONSOLE_CONTROL_PROTOCOL_LOCK_STD_IN) ( + IN EFI_CONSOLE_CONTROL_PROTOCOL *This, + IN CHAR16 *Password + ); + +struct _EFI_CONSOLE_CONTROL_PROTOCOL { + EFI_CONSOLE_CONTROL_PROTOCOL_GET_MODE GetMode; + EFI_CONSOLE_CONTROL_PROTOCOL_SET_MODE SetMode; + EFI_CONSOLE_CONTROL_PROTOCOL_LOCK_STD_IN LockStdIn; +}; + +extern VOID setup_console (int text); + +#endif /* _SHIM_LIB_CONSOLE_H */ diff --git a/include/console_control.h b/include/console_control.h deleted file mode 100644 index aec6f41..0000000 --- a/include/console_control.h +++ /dev/null @@ -1,46 +0,0 @@ -#ifndef _SHIM_CONSOLE_CONTROL_H -#define _SHIM_CONSOLE_CONTROL_H 1 - -#define EFI_CONSOLE_CONTROL_PROTOCOL_GUID \ - { 0xf42f7782, 0x12e, 0x4c12, {0x99, 0x56, 0x49, 0xf9, 0x43, 0x4, 0xf7, 0x21} } - -typedef struct _EFI_CONSOLE_CONTROL_PROTOCOL EFI_CONSOLE_CONTROL_PROTOCOL; - -typedef enum { - EfiConsoleControlScreenText, - EfiConsoleControlScreenGraphics, - EfiConsoleControlScreenMaxValue -} EFI_CONSOLE_CONTROL_SCREEN_MODE; - -typedef -EFI_STATUS -(EFIAPI *EFI_CONSOLE_CONTROL_PROTOCOL_GET_MODE) ( - IN EFI_CONSOLE_CONTROL_PROTOCOL *This, - OUT EFI_CONSOLE_CONTROL_SCREEN_MODE *Mode, - OUT BOOLEAN *GopUgaExists, OPTIONAL - OUT BOOLEAN *StdInLocked OPTIONAL - ); - -typedef -EFI_STATUS -(EFIAPI *EFI_CONSOLE_CONTROL_PROTOCOL_SET_MODE) ( - IN EFI_CONSOLE_CONTROL_PROTOCOL *This, - IN EFI_CONSOLE_CONTROL_SCREEN_MODE Mode - ); - -typedef -EFI_STATUS -(EFIAPI *EFI_CONSOLE_CONTROL_PROTOCOL_LOCK_STD_IN) ( - IN EFI_CONSOLE_CONTROL_PROTOCOL *This, - IN CHAR16 *Password - ); - -struct _EFI_CONSOLE_CONTROL_PROTOCOL { - EFI_CONSOLE_CONTROL_PROTOCOL_GET_MODE GetMode; - EFI_CONSOLE_CONTROL_PROTOCOL_SET_MODE SetMode; - EFI_CONSOLE_CONTROL_PROTOCOL_LOCK_STD_IN LockStdIn; -}; - -extern VOID setup_console (int text); - -#endif /* _SHIM_CONSOLE_CONTROL_H */ diff --git a/lib/Makefile b/lib/Makefile index f2b9091..c1b9ab3 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -1,6 +1,6 @@ TARGET = lib.a -LIBFILES = simple_file.o guid.o console.o execute.o configtable.o shell.o variables.o security_policy.o console_control.o +LIBFILES = simple_file.o guid.o console.o execute.o configtable.o shell.o variables.o security_policy.o ARCH = $(shell uname -m | sed s,i[3456789]86,ia32,) diff --git a/lib/console.c b/lib/console.c index af01f03..72d6427 100644 --- a/lib/console.c +++ b/lib/console.c @@ -1,5 +1,6 @@ /* * Copyright 2012 + * Copyright 2013 Red Hat Inc. * * see COPYING file */ @@ -400,3 +401,31 @@ console_reset(void) uefi_call_wrapper(co->SetMode, 2, co, 0); uefi_call_wrapper(co->ClearScreen, 1, co); } + +VOID setup_console (int text) +{ + EFI_STATUS status; + EFI_GUID console_control_guid = EFI_CONSOLE_CONTROL_PROTOCOL_GUID; + EFI_CONSOLE_CONTROL_PROTOCOL *concon; + static EFI_CONSOLE_CONTROL_SCREEN_MODE mode = + EfiConsoleControlScreenGraphics; + EFI_CONSOLE_CONTROL_SCREEN_MODE new_mode; + + status = LibLocateProtocol(&console_control_guid, (VOID **)&concon); + if (status != EFI_SUCCESS) + return; + + if (text) { + new_mode = EfiConsoleControlScreenText; + + status = uefi_call_wrapper(concon->GetMode, 4, concon, &mode, + 0, 0); + /* If that didn't work, assume it's graphics */ + if (status != EFI_SUCCESS) + mode = EfiConsoleControlScreenGraphics; + } else { + new_mode = mode; + } + + uefi_call_wrapper(concon->SetMode, 2, concon, new_mode); +} diff --git a/lib/console_control.c b/lib/console_control.c deleted file mode 100644 index 604a60f..0000000 --- a/lib/console_control.c +++ /dev/null @@ -1,32 +0,0 @@ -#include -#include - -#include "console_control.h" - -VOID setup_console (int text) -{ - EFI_STATUS status; - EFI_GUID console_control_guid = EFI_CONSOLE_CONTROL_PROTOCOL_GUID; - EFI_CONSOLE_CONTROL_PROTOCOL *concon; - static EFI_CONSOLE_CONTROL_SCREEN_MODE mode = - EfiConsoleControlScreenGraphics; - EFI_CONSOLE_CONTROL_SCREEN_MODE new_mode; - - status = LibLocateProtocol(&console_control_guid, (VOID **)&concon); - if (status != EFI_SUCCESS) - return; - - if (text) { - new_mode = EfiConsoleControlScreenText; - - status = uefi_call_wrapper(concon->GetMode, 4, concon, &mode, - 0, 0); - /* If that didn't work, assume it's graphics */ - if (status != EFI_SUCCESS) - mode = EfiConsoleControlScreenGraphics; - } else { - new_mode = mode; - } - - uefi_call_wrapper(concon->SetMode, 2, concon, new_mode); -} diff --git a/shim.c b/shim.c index a72e091..3c55a5a 100644 --- a/shim.c +++ b/shim.c @@ -43,7 +43,6 @@ #include "replacements.h" #include "ucs2.h" -#include "console_control.h" #include "guid.h" #include "variables.h" #include "efiauthenticated.h" From bb2fe4cfb3fc050e4ef0dbb6af0c53a4f75200c9 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 1 Oct 2013 14:03:16 -0400 Subject: [PATCH 061/163] Conditionalize overriding the security policy. Make OVERRIDE_SECURITY_POLICY a build option. Signed-off-by: Peter Jones --- Makefile | 4 ++++ include/security_policy.h | 7 +++++++ lib/security_policy.c | 2 ++ shim.c | 4 ++++ 4 files changed, 17 insertions(+) diff --git a/Makefile b/Makefile index 581be0a..311a2c9 100644 --- a/Makefile +++ b/Makefile @@ -21,6 +21,10 @@ CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \ $(EFI_INCLUDES) + +ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined) + CFLAGS += -DOVERRIDE_SECURITY_POLICY +endif ifeq ($(ARCH),x86_64) CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI endif diff --git a/include/security_policy.h b/include/security_policy.h index b0109ce..7854db1 100644 --- a/include/security_policy.h +++ b/include/security_policy.h @@ -1,3 +1,7 @@ +#ifndef _SHIM_LIB_SECURITY_POLICY_H +#define _SHIM_LIB_SECURITY_POLICY_H 1 + +#if defined(OVERRIDE_SECURITY_POLICY) typedef EFI_STATUS (*SecurityHook) (void *data, UINT32 len); EFI_STATUS @@ -6,3 +10,6 @@ EFI_STATUS security_policy_uninstall(void); void security_protocol_set_hashes(unsigned char *esl, int len); +#endif /* OVERRIDE_SECURITY_POLICY */ + +#endif /* SHIM_LIB_SECURITY_POLICY_H */ diff --git a/lib/security_policy.c b/lib/security_policy.c index f1b0842..9af3a10 100644 --- a/lib/security_policy.c +++ b/lib/security_policy.c @@ -14,6 +14,7 @@ #include #include +#if defined(OVERRIDE_SECURITY_POLICY) #include /* @@ -348,3 +349,4 @@ security_protocol_set_hashes(unsigned char *esl, int len) security_policy_esl = esl; security_policy_esl_len = len; } +#endif /* OVERRIDE_SECURITY_POLICY */ diff --git a/shim.c b/shim.c index 3c55a5a..b725629 100644 --- a/shim.c +++ b/shim.c @@ -1629,10 +1629,12 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) &shim_lock_guid, EFI_NATIVE_INTERFACE, &shim_lock_interface); +#if defined(OVERRIDE_SECURITY_POLICY) /* * Install the security protocol hook */ security_policy_install(shim_verify); +#endif /* * Enter MokManager if necessary @@ -1657,10 +1659,12 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) uefi_call_wrapper(BS->UninstallProtocolInterface, 3, handle, &shim_lock_guid, &shim_lock_interface); +#if defined(OVERRIDE_SECURITY_POLICY) /* * Clean up the security protocol hook */ security_policy_uninstall(); +#endif /* * Free the space allocated for the alternative 2nd stage loader From 7076ec11b094b49e087545ebb48e255c92b44c2a Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 1 Oct 2013 14:38:09 -0400 Subject: [PATCH 062/163] Clean up warnings. Signed-off-by: Peter Jones --- lib/Makefile | 4 +++- lib/execute.c | 2 +- lib/simple_file.c | 9 +++++---- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/lib/Makefile b/lib/Makefile index c1b9ab3..adb0347 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -11,7 +11,9 @@ EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ - -fshort-wchar -Wall -mno-red-zone -DBUILD_EFI $(EFI_INCLUDES) + -fshort-wchar -Wall -mno-red-zone -DBUILD_EFI -fno-builtin \ + -Werror \ + $(EFI_INCLUDES) ifeq ($(ARCH),x86_64) CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI endif diff --git a/lib/execute.c b/lib/execute.c index 8d726eb..42d71c8 100644 --- a/lib/execute.c +++ b/lib/execute.c @@ -103,7 +103,7 @@ execute(EFI_HANDLE image, CHAR16 *name) CHAR16 *PathName; status = uefi_call_wrapper(BS->HandleProtocol, 3, image, - &IMAGE_PROTOCOL, &li); + &IMAGE_PROTOCOL, (void **)&li); if (status != EFI_SUCCESS) return status; diff --git a/lib/simple_file.c b/lib/simple_file.c index e288272..3af0ec8 100644 --- a/lib/simple_file.c +++ b/lib/simple_file.c @@ -25,7 +25,7 @@ simple_file_open_by_handle(EFI_HANDLE device, CHAR16 *name, EFI_FILE **file, UIN EFI_FILE *root; efi_status = uefi_call_wrapper(BS->HandleProtocol, 3, device, - &SIMPLE_FS_PROTOCOL, &drive); + &SIMPLE_FS_PROTOCOL, (void **)&drive); if (efi_status != EFI_SUCCESS) { Print(L"Unable to find simple file protocol (%d)\n", efi_status); @@ -56,7 +56,7 @@ simple_file_open(EFI_HANDLE image, CHAR16 *name, EFI_FILE **file, UINT64 mode) CHAR16 *PathName = NULL; efi_status = uefi_call_wrapper(BS->HandleProtocol, 3, image, - &IMAGE_PROTOCOL, &li); + &IMAGE_PROTOCOL, (void **)&li); if (efi_status != EFI_SUCCESS) return simple_file_open_by_handle(image, name, file, mode); @@ -116,7 +116,7 @@ simple_dir_read_all_by_handle(EFI_HANDLE image, EFI_FILE *file, CHAR16* name, EF return EFI_OUT_OF_RESOURCES; int i; for (i = 0; i < *count; i++) { - int len = size; + UINTN len = size; uefi_call_wrapper(file->Read, 3, file, &len, ptr); ptr += len; size -= len; @@ -223,7 +223,8 @@ simple_volume_selector(CHAR16 **title, CHAR16 **selected, EFI_HANDLE *h) status = uefi_call_wrapper(BS->HandleProtocol, 3, vol_handles[i], - &SIMPLE_FS_PROTOCOL, &drive); + &SIMPLE_FS_PROTOCOL, + (void **)&drive); if (status != EFI_SUCCESS || !drive) continue; From 1d56305945553d372ade5054f52baeed8b6f9b33 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 1 Oct 2013 16:33:58 -0400 Subject: [PATCH 063/163] If we fail to install our protocol, don't continue. This shouldn't be exploitable unless you've got a way to make InstallProtocol fail and still, for example, have memory free to actually load and run something. Signed-off-by: Peter Jones --- shim.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/shim.c b/shim.c index b725629..2a3d055 100644 --- a/shim.c +++ b/shim.c @@ -1625,9 +1625,14 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) /* * Install the protocol */ - uefi_call_wrapper(BS->InstallProtocolInterface, 4, &handle, - &shim_lock_guid, EFI_NATIVE_INTERFACE, + efi_status = uefi_call_wrapper(BS->InstallProtocolInterface, 4, + &handle, &shim_lock_guid, EFI_NATIVE_INTERFACE, &shim_lock_interface); + if (EFI_ERROR(efi_status)) { + console_error("Could not install security protocol", + efi_status); + return efi_status; + } #if defined(OVERRIDE_SECURITY_POLICY) /* From a847e33aafe7ac13a60cedab8b702ff9fd296e60 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 2 Oct 2013 10:00:11 -0400 Subject: [PATCH 064/163] Fix wrong type on console_error() call. Stupid L"". Signed-off-by: Peter Jones --- shim.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shim.c b/shim.c index 2a3d055..f311914 100644 --- a/shim.c +++ b/shim.c @@ -1629,7 +1629,7 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) &handle, &shim_lock_guid, EFI_NATIVE_INTERFACE, &shim_lock_interface); if (EFI_ERROR(efi_status)) { - console_error("Could not install security protocol", + console_error(L"Could not install security protocol", efi_status); return efi_status; } From aed556c4abc0ecb408684ac3544ff3ec04bad109 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 2 Oct 2013 10:02:01 -0400 Subject: [PATCH 065/163] CompareMem expects void * and gcc complains. Sorry about that. Signed-off-by: Peter Jones --- lib/configtable.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/configtable.c b/lib/configtable.c index 735ce8f..e2d92bf 100644 --- a/lib/configtable.c +++ b/lib/configtable.c @@ -101,7 +101,7 @@ configtable_find_image(const EFI_DEVICE_PATH *DevicePath) break; } - if (CompareMem(dp, DevicePath, Size) == 0) { + if (CompareMem(dp, (void *)DevicePath, Size) == 0) { #ifdef DEBUG_CONFIG Print(L"***FOUND\n"); console_get_keystroke(); From cb89c25aebe96a7ecaaa3983786e6a7661465b03 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 2 Oct 2013 10:46:26 -0400 Subject: [PATCH 066/163] Use CHAR8 not UINT8 for character work. This gets rid of a lot of type casting that we don't need, and helps reduce warnings when I switch a bunch of gnu-efi stuff to taking const arguments. Signed-off-by: Peter Jones --- netboot.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/netboot.c b/netboot.c index 3554fc8..a83c82a 100644 --- a/netboot.c +++ b/netboot.c @@ -52,7 +52,7 @@ static inline unsigned short int __swap16(unsigned short int x) static EFI_PXE_BASE_CODE *pxe; static EFI_IP_ADDRESS tftp_addr; -static UINT8 *full_path; +static CHAR8 *full_path; typedef struct { @@ -188,10 +188,10 @@ static CHAR8 *get_v6_bootfile_url(EFI_PXE_BASE_CODE_DHCPV6_PACKET *pkt) return NULL; } -static UINT16 str2ns(UINT8 *str) +static CHAR16 str2ns(CHAR8 *str) { - UINT16 ret = 0; - UINT8 v; + CHAR16 ret = 0; + CHAR8 v; for(;*str;str++) { if ('0' <= *str && *str <= '9') v = *str - '0'; @@ -206,18 +206,18 @@ static UINT16 str2ns(UINT8 *str) return htons(ret); } -static UINT8 *str2ip6(char *str) +static CHAR8 *str2ip6(CHAR8 *str) { UINT8 i, j, p; size_t len; - UINT8 *a, *b, t; + CHAR8 *a, *b, t; static UINT16 ip[8]; for(i=0; i < 8; i++) { ip[i] = 0; } - len = strlen((UINT8 *)str); - a = b = (UINT8 *)str; + len = strlen(str); + a = b = str; for(i=p=0; i < len; i++, b++) { if (*b != ':') continue; @@ -228,7 +228,7 @@ static UINT8 *str2ip6(char *str) if ( *(b+1) == ':' ) break; } - a = b = (UINT8 *)(str + len); + a = b = (str + len); for(j=len, p=7; j > i; j--, a--) { if (*a != ':') continue; @@ -238,13 +238,13 @@ static UINT8 *str2ip6(char *str) *b = t; b = a; } - return (UINT8 *)ip; + return (CHAR8 *)ip; } static BOOLEAN extract_tftp_info(CHAR8 *url) { CHAR8 *start, *end; - char ip6str[40]; + CHAR8 ip6str[40]; CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR); if (strncmp((UINT8 *)url, (UINT8 *)"tftp://", 7)) { From 2892db7fda682715851c72c6a884781d1452f056 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 2 Oct 2013 10:48:41 -0400 Subject: [PATCH 067/163] Remove "shim.cer" on "make clean". If we don't do this, an old key winds up being reused and MokManager.efi.signed is signed with a different key than shim_cert reflects. Signed-off-by: Peter Jones --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 311a2c9..53c4e00 100644 --- a/Makefile +++ b/Makefile @@ -41,7 +41,7 @@ VERSION = 0.4 TARGET = shim.efi MokManager.efi.signed fallback.efi.signed OBJS = shim.o netboot.o cert.o replacements.o -KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key +KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o MOK_SOURCES = MokManager.c shim.h include/console.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h From 47ebeb6262a5bb6b115ef0b37850a9ea382f5cfb Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 2 Oct 2013 11:29:34 -0400 Subject: [PATCH 068/163] Add support for disabling db for verification Provide a mechanism for a physically present end user to disable the use of db when doing signature verification. This is handled by the OS passing down a variable that contains a UINT32 and a SHA256 hash. If this variable is present, MokManager prompts the user to choose whether to enable or disable the use of db for verification purposes (depending on the value of the UINT32). They are then asked to type the passphrase that matches the hash. This then saves a boot services variable which is checked by shim, and if set will cause shim to not use db for verification purposes. If db is to be ignored, shim will export a runtime variable called 'MokIgnoreDB' for the OS to query at runtime. Signed-off-by: Josh Boyer --- MokManager.c | 153 ++++++++++++++++++++++++++++++++++++++++++++++++++- MokVars.txt | 23 ++++++++ shim.c | 107 +++++++++++++++++++++++++++++------ 3 files changed, 264 insertions(+), 19 deletions(-) diff --git a/MokManager.c b/MokManager.c index de0eb59..f5ed379 100644 --- a/MokManager.c +++ b/MokManager.c @@ -50,6 +50,12 @@ typedef struct { CHAR16 Password[SB_PASSWORD_LEN]; } __attribute__ ((packed)) MokSBvar; +typedef struct { + UINT32 MokDBState; + UINT32 PWLen; + CHAR16 Password[SB_PASSWORD_LEN]; +} __attribute__ ((packed)) MokDBvar; + static EFI_STATUS get_sha1sum (void *Data, int DataSize, UINT8 *hash) { EFI_STATUS status; @@ -1116,6 +1122,118 @@ static INTN mok_sb_prompt (void *MokSB, UINTN MokSBSize) { return -1; } +static INTN mok_db_prompt (void *MokDB, UINTN MokDBSize) { + EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; + EFI_STATUS efi_status; + SIMPLE_TEXT_OUTPUT_MODE SavedMode; + MokDBvar *var = MokDB; + CHAR16 *message[4]; + CHAR16 pass1, pass2, pass3; + CHAR16 *str; + UINT8 fail_count = 0; + UINT8 dbval = 1; + UINT8 pos1, pos2, pos3; + int ret; + + if (MokDBSize != sizeof(MokDBvar)) { + console_notify(L"Invalid MokDB variable contents"); + return -1; + } + + uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); + + message[0] = L"Change DB state"; + message[1] = NULL; + + console_save_and_set_mode(&SavedMode); + console_print_box_at(message, -1, 0, 0, -1, -1, 1, 1); + console_restore_mode(&SavedMode); + + while (fail_count < 3) { + RandomBytes (&pos1, sizeof(pos1)); + pos1 = (pos1 % var->PWLen); + + do { + RandomBytes (&pos2, sizeof(pos2)); + pos2 = (pos2 % var->PWLen); + } while (pos2 == pos1); + + do { + RandomBytes (&pos3, sizeof(pos3)); + pos3 = (pos3 % var->PWLen) ; + } while (pos3 == pos2 || pos3 == pos1); + + str = PoolPrint(L"Enter password character %d: ", pos1 + 1); + if (!str) { + console_errorbox(L"Failed to allocate buffer"); + return -1; + } + pass1 = get_password_charater(str); + FreePool(str); + + str = PoolPrint(L"Enter password character %d: ", pos2 + 1); + if (!str) { + console_errorbox(L"Failed to allocate buffer"); + return -1; + } + pass2 = get_password_charater(str); + FreePool(str); + + str = PoolPrint(L"Enter password character %d: ", pos3 + 1); + if (!str) { + console_errorbox(L"Failed to allocate buffer"); + return -1; + } + pass3 = get_password_charater(str); + FreePool(str); + + if (pass1 != var->Password[pos1] || + pass2 != var->Password[pos2] || + pass3 != var->Password[pos3]) { + Print(L"Invalid character\n"); + fail_count++; + } else { + break; + } + } + + if (fail_count >= 3) { + console_notify(L"Password limit reached"); + return -1; + } + + if (var->MokDBState == 0) + ret = console_yes_no((CHAR16 *[]){L"Ignore DB certs/hashes", NULL}); + else + ret = console_yes_no((CHAR16 *[]){L"Use DB certs/hashes", NULL}); + + if (ret == 0) { + LibDeleteVariable(L"MokDB", &shim_lock_guid); + return -1; + } + + if (var->MokDBState == 0) { + efi_status = uefi_call_wrapper(RT->SetVariable, + 5, L"MokDBState", + &shim_lock_guid, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS, + 1, &dbval); + if (efi_status != EFI_SUCCESS) { + console_notify(L"Failed to set DB state"); + return -1; + } + } else { + LibDeleteVariable(L"MokDBState", &shim_lock_guid); + } + + console_notify(L"The system must now be rebooted"); + uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, + EFI_SUCCESS, 0, NULL); + console_notify(L"Failed to reboot"); + return -1; +} + static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; @@ -1517,6 +1635,7 @@ typedef enum { MOK_DELETE_MOK, MOK_CHANGE_SB, MOK_SET_PW, + MOK_CHANGE_DB, MOK_KEY_ENROLL, MOK_HASH_ENROLL } mok_menu_item; @@ -1525,7 +1644,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, void *MokNew, UINTN MokNewSize, void *MokDel, UINTN MokDelSize, void *MokSB, UINTN MokSBSize, - void *MokPW, UINTN MokPWSize) + void *MokPW, UINTN MokPWSize, + void *MokDB, UINTN MokDBSize) { CHAR16 **menu_strings; mok_menu_item *menu_item; @@ -1572,6 +1692,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, if (MokPW) menucount++; + if (MokDB) + menucount++; + menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (menucount + 1)); if (!menu_strings) @@ -1618,6 +1741,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, i++; } + if (MokDB) { + menu_strings[i] = L"Change DB state"; + menu_item[i] = MOK_CHANGE_DB; + i++; + } + menu_strings[i] = L"Enroll key from disk"; menu_item[i] = MOK_KEY_ENROLL; i++; @@ -1656,6 +1785,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, case MOK_SET_PW: mok_pw_prompt(MokPW, MokPWSize); break; + case MOK_CHANGE_DB: + mok_db_prompt(MokDB, MokDBSize); + break; case MOK_KEY_ENROLL: mok_key_enroll(); break; @@ -1679,11 +1811,13 @@ out: static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; - UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0; + UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0, + MokDBSize = 0; void *MokNew = NULL; void *MokDel = NULL; void *MokSB = NULL; void *MokPW = NULL; + void *MokDB = NULL; EFI_STATUS status; status = get_variable(L"MokNew", (UINT8 **)&MokNew, &MokNewSize, @@ -1726,8 +1860,18 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) console_error(L"Could not retrieve MokPW", status); } + status = get_variable(L"MokDB", (UINT8 **)&MokDB, &MokDBSize, + shim_lock_guid); + if (status == EFI_SUCCESS) { + if (LibDeleteVariable(L"MokDB", &shim_lock_guid) != EFI_SUCCESS) { + console_notify(L"Failed to delete MokDB"); + } + } else if (EFI_ERROR(status) && status != EFI_NOT_FOUND) { + console_error(L"Could not retrieve MokDB", status); + } + enter_mok_menu(image_handle, MokNew, MokNewSize, MokDel, MokDelSize, - MokSB, MokSBSize, MokPW, MokPWSize); + MokSB, MokSBSize, MokPW, MokPWSize, MokDB, MokDBSize); if (MokNew) FreePool (MokNew); @@ -1741,6 +1885,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) if (MokPW) FreePool (MokPW); + if (MokDB) + FreePool (MokDB); + LibDeleteVariable(L"MokAuth", &shim_lock_guid); LibDeleteVariable(L"MokDelAuth", &shim_lock_guid); diff --git a/MokVars.txt b/MokVars.txt index 74f0908..cac5349 100644 --- a/MokVars.txt +++ b/MokVars.txt @@ -25,6 +25,23 @@ three randomly chosen characters from the password. If successful, they will then be prompted to change the signature validation according to MokSBState. BS,RT,NV +MokDB: Set by MokUtil when requesting a change in state of validation +using db hashes and certs. A packed structure as follows: + +typedef struct { + UINT32 MokDBState; + UINT32 PWLen; + CHAR16 Password[PASSWORD_MAX]; +} __attribute__ ((packed)) MokDBvar; + +If MokDBState is 0, the user will be prompted to disable usage of db for +validation. Otherwise, the user will be prompted to allow it. PWLen +is the length of the password, in characters. Password is a UCS-2 +representation of the password. The user will be prompted to enter +three randomly chosen characters from the password. If successful, +they will then be prompted to change the signature validation +according to MokDBState. BS,RT,NV + MokNew: Set by MokUtil when requesting the addition or removal of keys from MokList. Is an EFI_SIGNATURE_LIST as described in the UEFI specification. BS,RT,NV @@ -46,6 +63,12 @@ MokListRT: A copy of MokList made available to the kernel at runtime. RT MokSBState: An 8-bit unsigned integer. If 1, shim will switch to insecure mode. BS,NV +MokDBState: An 8-bit unsigned integer. If 1, shim will not use db for +verification. BS,NV + +MokIgnoreDB: An 8-bit unsigned integer. This allows the OS to query whether +or not to import DB certs for its own verification purposes. + MokPWStore: A SHA-256 representation of the password set by the user via MokPW. The user will be prompted to enter this password in order to interact with MokManager. diff --git a/shim.c b/shim.c index f311914..690cb09 100644 --- a/shim.c +++ b/shim.c @@ -86,6 +86,7 @@ int loader_is_participating; #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }} UINT8 insecure_mode; +UINT8 ignore_db; typedef enum { DATA_FOUND, @@ -393,28 +394,31 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert, EFI_GUID secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; EFI_GUID shim_var = SHIM_LOCK_GUID; - if (check_db_hash(L"db", secure_var, sha256hash, SHA256_DIGEST_SIZE, - EFI_CERT_SHA256_GUID) == DATA_FOUND) { - update_verification_method(VERIFIED_BY_HASH); - return EFI_SUCCESS; - } - if (check_db_hash(L"db", secure_var, sha1hash, SHA1_DIGEST_SIZE, - EFI_CERT_SHA1_GUID) == DATA_FOUND) { - verification_method = VERIFIED_BY_HASH; - update_verification_method(VERIFIED_BY_HASH); - return EFI_SUCCESS; + if (!ignore_db) { + if (check_db_hash(L"db", secure_var, sha256hash, SHA256_DIGEST_SIZE, + EFI_CERT_SHA256_GUID) == DATA_FOUND) { + update_verification_method(VERIFIED_BY_HASH); + return EFI_SUCCESS; + } + if (check_db_hash(L"db", secure_var, sha1hash, SHA1_DIGEST_SIZE, + EFI_CERT_SHA1_GUID) == DATA_FOUND) { + verification_method = VERIFIED_BY_HASH; + update_verification_method(VERIFIED_BY_HASH); + return EFI_SUCCESS; + } + if (check_db_cert(L"db", secure_var, cert, sha256hash) == DATA_FOUND) { + verification_method = VERIFIED_BY_CERT; + update_verification_method(VERIFIED_BY_CERT); + return EFI_SUCCESS; + } } + if (check_db_hash(L"MokList", shim_var, sha256hash, SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID) == DATA_FOUND) { verification_method = VERIFIED_BY_HASH; update_verification_method(VERIFIED_BY_HASH); return EFI_SUCCESS; } - if (check_db_cert(L"db", secure_var, cert, sha256hash) == DATA_FOUND) { - verification_method = VERIFIED_BY_CERT; - update_verification_method(VERIFIED_BY_CERT); - return EFI_SUCCESS; - } if (check_db_cert(L"MokList", shim_var, cert, sha256hash) == DATA_FOUND) { verification_method = VERIFIED_BY_CERT; update_verification_method(VERIFIED_BY_CERT); @@ -1428,7 +1432,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle) if (check_var(L"MokNew") || check_var(L"MokSB") || check_var(L"MokPW") || check_var(L"MokAuth") || - check_var(L"MokDel")) { + check_var(L"MokDel") || check_var(L"MokDB")) { efi_status = start_image(image_handle, MOK_MANAGER); if (efi_status != EFI_SUCCESS) { @@ -1481,6 +1485,71 @@ static EFI_STATUS check_mok_sb (void) return status; } +/* + * Verify that MokDBState is valid, and if appropriate set ignore db mode + */ + +static EFI_STATUS check_mok_db (void) +{ + EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; + EFI_STATUS status = EFI_SUCCESS; + UINT8 *MokDBState = NULL; + UINTN MokDBStateSize = 0; + UINT32 attributes; + + status = get_variable_attr(L"MokDBState", &MokDBState, &MokDBStateSize, + shim_lock_guid, &attributes); + + if (status != EFI_SUCCESS) + return EFI_ACCESS_DENIED; + + ignore_db = 0; + + /* + * Delete and ignore the variable if it's been set from or could be + * modified by the OS + */ + if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) { + Print(L"MokDBState is compromised! Clearing it\n"); + if (LibDeleteVariable(L"MokDBState", &shim_lock_guid) != EFI_SUCCESS) { + Print(L"Failed to erase MokDBState\n"); + } + status = EFI_ACCESS_DENIED; + } else { + if (*(UINT8 *)MokDBState == 1) { + ignore_db = 1; + } + } + + FreePool(MokDBState); + + return status; +} + +static EFI_STATUS mok_ignore_db() +{ + EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; + EFI_STATUS efi_status = EFI_SUCCESS; + UINT8 Data = 1; + UINTN DataSize = sizeof(UINT8); + + check_mok_db(); + + if (ignore_db) { + efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokIgnoreDB", + &shim_lock_guid, + EFI_VARIABLE_BOOTSERVICE_ACCESS + | EFI_VARIABLE_RUNTIME_ACCESS, + DataSize, (void *)&Data); + if (efi_status != EFI_SUCCESS) { + Print(L"Failed to set MokIgnoreDB %d\n", efi_status); + } + } + + return efi_status; + +} + /* * Check the load options to specify the second stage loader */ @@ -1652,6 +1721,12 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) */ efi_status = mirror_mok_list(); + /* + * Create the runtime MokIgnoreDB variable so the kernel can make + * use of it + */ + efi_status = mok_ignore_db(); + /* * Hand over control to the second stage bootloader */ From c50f5a2d4a22ddd2429dd8594d6510cfd813d53a Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 2 Oct 2013 13:33:52 -0400 Subject: [PATCH 069/163] Update for Josh's changes. Signed-off-by: Peter Jones --- TODO | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/TODO b/TODO index fe50e50..029b0bf 100644 --- a/TODO +++ b/TODO @@ -16,11 +16,8 @@ Modsign enforcement mgmt MoK: features need to be disableable/enableable in MokManager. Variable for debug: - basically we need to be able to set a UEFI variable and get debug - output. -Db key mokutil config: -- Asked for by Mimi Zohar: An (on/off) option that would prevent the shim - and the kernel from trusting keys listed in 'db' and only use those coming - from the MOK List. + output. Right now some code uses SHIM_VERBOSE but that needs a fair + amount of work to actually be useful. Hashing of option roms: - hash option roms and add them to MokListRT - probably belongs in MokManager From 0fb089ee14e92bd1f6909deaf4d32a926053edcd Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 3 Oct 2013 11:11:09 -0400 Subject: [PATCH 070/163] Add ident-like blobs to shim.efi for version checking. I feel dirty. --- .gitignore | 1 + Makefile | 14 +++++++++++--- include/console.h | 2 ++ lib/console.c | 14 ++++++++++++++ shim.c | 4 ++++ version.c.in | 8 ++++++++ version.h | 8 ++++++++ 7 files changed, 48 insertions(+), 3 deletions(-) create mode 100644 version.c.in create mode 100644 version.h diff --git a/.gitignore b/.gitignore index 85da8e7..586bc24 100644 --- a/.gitignore +++ b/.gitignore @@ -23,3 +23,4 @@ shim_cert.h *.srl *.srl.old *.tar.* +version.c diff --git a/Makefile b/Makefile index 53c4e00..4a8b553 100644 --- a/Makefile +++ b/Makefile @@ -40,9 +40,9 @@ LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH VERSION = 0.4 TARGET = shim.efi MokManager.efi.signed fallback.efi.signed -OBJS = shim.o netboot.o cert.o replacements.o +OBJS = shim.o netboot.o cert.o replacements.o version.o KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer -SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h +SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h version.c version.h MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o MOK_SOURCES = MokManager.c shim.h include/console.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h FALLBACK_OBJS = fallback.o @@ -61,6 +61,12 @@ shim_cert.h: shim.cer hexdump -v -e '1/1 "0x%02x, "' $< >> $@ echo "};" >> $@ +version.c : version.c.in + sed -e "s,@@VERSION@@,$(VERSION)," \ + -e "s,@@UNAME@@,$(shell uname -a)," \ + -e "s,@@COMMIT@@,$(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)," \ + < version.c.in > version.c + certdb/secmod.db: shim.crt -mkdir certdb certutil -A -n 'my CA' -d certdb/ -t CT,CT,CT -i ca.crt @@ -115,7 +121,7 @@ clean: $(MAKE) -C Cryptlib/OpenSSL clean $(MAKE) -C lib clean rm -rf $(TARGET) $(OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb - rm -f *.debug *.so *.efi *.tar.* + rm -f *.debug *.so *.efi *.tar.* version.c GITTAG = $(VERSION) @@ -125,6 +131,7 @@ test-archive: @git archive --format=tar $(shell git branch | awk '/^*/ { print $$2 }') | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x ) @git diff | ( cd /tmp/shim-$(VERSION)-tmp/ ; patch -s -p1 -b -z .gitdiff ) @mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/ + @git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit @dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION) @rm -rf /tmp/shim-$(VERSION) @echo "The archive is in shim-$(VERSION).tar.bz2" @@ -135,6 +142,7 @@ archive: @mkdir -p /tmp/shim-$(VERSION)-tmp @git archive --format=tar $(GITTAG) | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x ) @mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/ + @git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit @dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION) @rm -rf /tmp/shim-$(VERSION) @echo "The archive is in shim-$(VERSION).tar.bz2" diff --git a/include/console.h b/include/console.h index d699d27..fbeb7e6 100644 --- a/include/console.h +++ b/include/console.h @@ -20,6 +20,8 @@ console_alertbox(CHAR16 **title); void console_notify(CHAR16 *string); void +console_notify_ascii(CHAR8 *string); +void console_reset(void); #define NOSEL 0x7fffffff diff --git a/lib/console.c b/lib/console.c index 72d6427..44b08f2 100644 --- a/lib/console.c +++ b/lib/console.c @@ -312,6 +312,20 @@ console_notify(CHAR16 *string) console_alertbox(str_arr); } +void +console_notify_ascii(CHAR8 *string) +{ + CHAR16 *str = AllocateZeroPool((strlena(string) + 1) * 2); + int i, j; + + if (!str) + return; + + for (i = 0, j = 1; string[i] != '\0'; i++, j+=2) + str[j] = string[i]; + console_notify(str); +} + #define ARRAY_SIZE(a) (sizeof (a) / sizeof ((a)[0])) /* Copy of gnu-efi-3.0 with the added secure boot strings */ diff --git a/shim.c b/shim.c index 690cb09..873fd2e 100644 --- a/shim.c +++ b/shim.c @@ -48,6 +48,7 @@ #include "efiauthenticated.h" #include "security_policy.h" #include "console.h" +#include "version.h" #define FALLBACK L"\\fallback.efi" #define MOK_MANAGER L"\\MokManager.efi" @@ -1668,6 +1669,9 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) if (!EFI_ERROR(efi_status)) verbose = verbose_check; + if (verbose) + console_notify_ascii(shim_version); + /* Set the second stage loader */ set_second_stage (image_handle); diff --git a/version.c.in b/version.c.in new file mode 100644 index 0000000..9e71970 --- /dev/null +++ b/version.c.in @@ -0,0 +1,8 @@ + +#include "version.h" + +CHAR8 shim_version[] = + "UEFI SHIM\n" + "$Version: @@VERSION@@ $\n" + "$BuildMachine: @@UNAME@@ $\n" + "$Commit: @@COMMIT@@ $\n"; diff --git a/version.h b/version.h new file mode 100644 index 0000000..7fb3d81 --- /dev/null +++ b/version.h @@ -0,0 +1,8 @@ +#ifndef _SHIM_VERSION_H +#define _SHIM_VERSION_H 1 + +#include + +extern CHAR8 shim_version[]; + +#endif /* SHIM_VERSION_H */ From a3beb2a6f7b9ba6af08318355f66f3438770f15d Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 3 Oct 2013 17:04:45 -0400 Subject: [PATCH 071/163] Improve PE image bounds checking. Signed-off-by: Peter Jones --- shim.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/shim.c b/shim.c index 873fd2e..ebd7f0d 100644 --- a/shim.c +++ b/shim.c @@ -144,10 +144,18 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, Adjust = (UINT64)data - context->ImageAddress; + if (Adjust == 0) + return EFI_SUCCESS; + while (RelocBase < RelocBaseEnd) { Reloc = (UINT16 *) ((char *) RelocBase + sizeof (EFI_IMAGE_BASE_RELOCATION)); - RelocEnd = (UINT16 *) ((char *) RelocBase + RelocBase->SizeOfBlock); + if ((RelocBase->SizeOfBlock == 0) || (RelocBase->SizeOfBlock > context->RelocDir->Size)) { + Print(L"Reloc block size is invalid\n"); + return EFI_UNSUPPORTED; + } + + RelocEnd = (UINT16 *) ((char *) RelocBase + RelocBase->SizeOfBlock); if ((void *)RelocEnd < data || (void *)RelocEnd > ImageEnd) { Print(L"Reloc entry overflows binary\n"); return EFI_UNSUPPORTED; From 4bf7fb2ef1ed13251efad3928d41e5eaf2f4aaa4 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 4 Oct 2013 11:51:09 -0400 Subject: [PATCH 072/163] Add Tiano patch e98e59c237e17f064a4ecffb39d45499f89720a1 This is: Fix a bug in OpensslLib that PKCS7_verify will use over 8k stack space. Signed-off-by: Fu Siyuan Reviewed-by: Ye Ting Reviewed-by: Dong Guo from upstream. --- Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c index d6db27c..b0ff89a 100755 --- a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c +++ b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c @@ -176,7 +176,8 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, STACK_OF(PKCS7_SIGNER_INFO) *sinfos; PKCS7_SIGNER_INFO *si; X509_STORE_CTX cert_ctx; - char buf[4096]; + char *buf = NULL; + int bufsiz; int i, j=0, k, ret = 0; BIO *p7bio; BIO *tmpin, *tmpout; @@ -287,10 +288,16 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO_set_mem_eof_return(tmpout, 0); } else tmpout = out; + bufsiz = 4096; + buf = OPENSSL_malloc (bufsiz); + if (buf == NULL) { + goto err; + } + /* We now have to 'read' from p7bio to calculate digests etc. */ for (;;) { - i=BIO_read(p7bio,buf,sizeof(buf)); + i=BIO_read(p7bio,buf,bufsiz); if (i <= 0) break; if (tmpout) BIO_write(tmpout, buf, i); } @@ -329,6 +336,10 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, sk_X509_free(signers); + if (buf != NULL) { + OPENSSL_free (buf); + } + return ret; } From 36d13930ee66e12d581a259b2f49b65eed41daeb Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 4 Oct 2013 11:51:09 -0400 Subject: [PATCH 073/163] Update to current Tiano Cryptlib --- Cryptlib/Cipher/CryptAes.c | 14 +- Cryptlib/Cipher/CryptArc4.c | 12 +- Cryptlib/Cipher/CryptTdes.c | 22 +- Cryptlib/Hash/CryptMd4.c | 8 +- Cryptlib/Hash/CryptMd5.c | 8 +- Cryptlib/Hash/CryptSha1.c | 8 +- Cryptlib/Hash/CryptSha256.c | 8 +- Cryptlib/Hmac/CryptHmacMd5.c | 4 +- Cryptlib/Hmac/CryptHmacSha1.c | 4 +- Cryptlib/InternalCryptLib.h | 22 +- Cryptlib/Library/BaseCryptLib.h | 2 +- Cryptlib/Makefile | 3 +- Cryptlib/Pem/CryptPem.c | 32 +- Cryptlib/Pk/CryptAuthenticode.c | 20 + Cryptlib/Pk/CryptDh.c | 88 +++- Cryptlib/Pk/CryptRsa.c | 722 --------------------------- Cryptlib/Pk/CryptRsaBasic.c | 335 +++++++++++++ Cryptlib/Pk/CryptRsaExt.c | 377 ++++++++++++++ Cryptlib/Pk/CryptX509.c | 164 ++---- Cryptlib/Rand/CryptRand.c | 6 +- Cryptlib/SysCall/BaseMemAllocation.c | 6 +- Cryptlib/SysCall/CrtWrapper.c | 10 + 22 files changed, 947 insertions(+), 928 deletions(-) delete mode 100644 Cryptlib/Pk/CryptRsa.c create mode 100644 Cryptlib/Pk/CryptRsaBasic.c create mode 100644 Cryptlib/Pk/CryptRsaExt.c diff --git a/Cryptlib/Cipher/CryptAes.c b/Cryptlib/Cipher/CryptAes.c index 45e4a43..753d798 100644 --- a/Cryptlib/Cipher/CryptAes.c +++ b/Cryptlib/Cipher/CryptAes.c @@ -38,7 +38,7 @@ AesGetContextSize ( Initializes user-supplied memory as AES context for subsequent use. This function initializes user-supplied memory pointed by AesContext as AES context. - In addtion, it sets up all AES key materials for subsequent encryption and decryption + In addition, it sets up all AES key materials for subsequent encryption and decryption operations. There are 3 options for key length, 128 bits, 192 bits, and 256 bits. @@ -241,7 +241,11 @@ AesCbcEncrypt ( // // Check input parameters. // - if (AesContext == NULL || Input == NULL || (InputSize % AES_BLOCK_SIZE) != 0 || Ivec == NULL || Output == NULL) { + if (AesContext == NULL || Input == NULL || (InputSize % AES_BLOCK_SIZE) != 0) { + return FALSE; + } + + if (Ivec == NULL || Output == NULL || InputSize > INT_MAX) { return FALSE; } @@ -299,7 +303,11 @@ AesCbcDecrypt ( // // Check input parameters. // - if (AesContext == NULL || Input == NULL || (InputSize % AES_BLOCK_SIZE) != 0 || Ivec == NULL || Output == NULL) { + if (AesContext == NULL || Input == NULL || (InputSize % AES_BLOCK_SIZE) != 0) { + return FALSE; + } + + if (Ivec == NULL || Output == NULL || InputSize > INT_MAX) { return FALSE; } diff --git a/Cryptlib/Cipher/CryptArc4.c b/Cryptlib/Cipher/CryptArc4.c index 6921418..f3c4d31 100644 --- a/Cryptlib/Cipher/CryptArc4.c +++ b/Cryptlib/Cipher/CryptArc4.c @@ -32,14 +32,14 @@ Arc4GetContextSize ( // for backup copy. When Arc4Reset() is called, we can use the backup copy to restore // the working copy to the initial state. // - return (UINTN) (2 * sizeof(RC4_KEY)); + return (UINTN) (2 * sizeof (RC4_KEY)); } /** Initializes user-supplied memory as ARC4 context for subsequent use. This function initializes user-supplied memory pointed by Arc4Context as ARC4 context. - In addtion, it sets up all ARC4 key materials for subsequent encryption and decryption + In addition, it sets up all ARC4 key materials for subsequent encryption and decryption operations. If Arc4Context is NULL, then return FALSE. @@ -75,7 +75,7 @@ Arc4Init ( RC4_set_key (Rc4Key, (UINT32) KeySize, Key); - CopyMem (Rc4Key + 1, Rc4Key, sizeof(RC4_KEY)); + CopyMem (Rc4Key + 1, Rc4Key, sizeof (RC4_KEY)); return TRUE; } @@ -115,7 +115,7 @@ Arc4Encrypt ( // // Check input parameters. // - if (Arc4Context == NULL || Input == NULL || Output == NULL) { + if (Arc4Context == NULL || Input == NULL || Output == NULL || InputSize > INT_MAX) { return FALSE; } @@ -161,7 +161,7 @@ Arc4Decrypt ( // // Check input parameters. // - if (Arc4Context == NULL || Input == NULL || Output == NULL) { + if (Arc4Context == NULL || Input == NULL || Output == NULL || InputSize > INT_MAX) { return FALSE; } @@ -205,7 +205,7 @@ Arc4Reset ( Rc4Key = (RC4_KEY *) Arc4Context; - CopyMem (Rc4Key, Rc4Key + 1, sizeof(RC4_KEY)); + CopyMem (Rc4Key, Rc4Key + 1, sizeof (RC4_KEY)); return TRUE; } diff --git a/Cryptlib/Cipher/CryptTdes.c b/Cryptlib/Cipher/CryptTdes.c index 8213718..f89094a 100644 --- a/Cryptlib/Cipher/CryptTdes.c +++ b/Cryptlib/Cipher/CryptTdes.c @@ -37,7 +37,7 @@ TdesGetContextSize ( Initializes user-supplied memory as TDES context for subsequent use. This function initializes user-supplied memory pointed by TdesContext as TDES context. - In addtion, it sets up all TDES key materials for subsequent encryption and decryption + In addition, it sets up all TDES key materials for subsequent encryption and decryption operations. There are 3 key options as follows: KeyLength = 64, Keying option 1: K1 == K2 == K3 (Backward compatibility with DES) @@ -76,9 +76,9 @@ TdesInit ( KeySchedule = (DES_key_schedule *) TdesContext; // - // + // If input Key is a weak key, return error. // - if (DES_is_weak_key ((const_DES_cblock *) Key)) { + if (DES_is_weak_key ((const_DES_cblock *) Key) == 1) { return FALSE; } @@ -90,7 +90,7 @@ TdesInit ( return TRUE; } - if (DES_is_weak_key ((const_DES_cblock *) Key + 8)) { + if (DES_is_weak_key ((const_DES_cblock *) Key + 8) == 1) { return FALSE; } @@ -101,7 +101,7 @@ TdesInit ( return TRUE; } - if (DES_is_weak_key ((const_DES_cblock *) Key + 16)) { + if (DES_is_weak_key ((const_DES_cblock *) Key + 16) == 1) { return FALSE; } @@ -275,7 +275,11 @@ TdesCbcEncrypt ( // // Check input parameters. // - if (TdesContext == NULL || Input == NULL || (InputSize % TDES_BLOCK_SIZE) != 0 || Ivec == NULL || Output == NULL) { + if (TdesContext == NULL || Input == NULL || (InputSize % TDES_BLOCK_SIZE) != 0) { + return FALSE; + } + + if (Ivec == NULL || Output == NULL || InputSize > INT_MAX) { return FALSE; } @@ -339,7 +343,11 @@ TdesCbcDecrypt ( // // Check input parameters. // - if (TdesContext == NULL || Input == NULL || (InputSize % TDES_BLOCK_SIZE) != 0 || Ivec == NULL || Output == NULL) { + if (TdesContext == NULL || Input == NULL || (InputSize % TDES_BLOCK_SIZE) != 0) { + return FALSE; + } + + if (Ivec == NULL || Output == NULL || InputSize > INT_MAX) { return FALSE; } diff --git a/Cryptlib/Hash/CryptMd4.c b/Cryptlib/Hash/CryptMd4.c index 31fc4dc..633d343 100644 --- a/Cryptlib/Hash/CryptMd4.c +++ b/Cryptlib/Hash/CryptMd4.c @@ -30,7 +30,7 @@ Md4GetContextSize ( // // Retrieves the OpenSSL MD4 Context Size // - return (UINTN)(sizeof (MD4_CTX)); + return (UINTN) (sizeof (MD4_CTX)); } /** @@ -61,7 +61,7 @@ Md4Init ( // // OpenSSL MD4 Context Initialization // - return (BOOLEAN) (MD4_Init ((MD4_CTX *)Md4Context)); + return (BOOLEAN) (MD4_Init ((MD4_CTX *) Md4Context)); } /** @@ -139,7 +139,7 @@ Md4Update ( // // OpenSSL MD4 Hash Update // - return (BOOLEAN) (MD4_Update ((MD4_CTX *)Md4Context, Data, DataSize)); + return (BOOLEAN) (MD4_Update ((MD4_CTX *) Md4Context, Data, DataSize)); } /** @@ -179,5 +179,5 @@ Md4Final ( // // OpenSSL MD4 Hash Finalization // - return (BOOLEAN) (MD4_Final (HashValue, (MD4_CTX *)Md4Context)); + return (BOOLEAN) (MD4_Final (HashValue, (MD4_CTX *) Md4Context)); } diff --git a/Cryptlib/Hash/CryptMd5.c b/Cryptlib/Hash/CryptMd5.c index 1d852c7..dcf7691 100644 --- a/Cryptlib/Hash/CryptMd5.c +++ b/Cryptlib/Hash/CryptMd5.c @@ -31,7 +31,7 @@ Md5GetContextSize ( // // Retrieves the OpenSSL MD5 Context Size // - return (UINTN)(sizeof (MD5_CTX)); + return (UINTN) (sizeof (MD5_CTX)); } @@ -63,7 +63,7 @@ Md5Init ( // // OpenSSL MD5 Context Initialization // - return (BOOLEAN) (MD5_Init ((MD5_CTX *)Md5Context)); + return (BOOLEAN) (MD5_Init ((MD5_CTX *) Md5Context)); } /** @@ -141,7 +141,7 @@ Md5Update ( // // OpenSSL MD5 Hash Update // - return (BOOLEAN) (MD5_Update ((MD5_CTX *)Md5Context, Data, DataSize)); + return (BOOLEAN) (MD5_Update ((MD5_CTX *) Md5Context, Data, DataSize)); } /** @@ -181,5 +181,5 @@ Md5Final ( // // OpenSSL MD5 Hash Finalization // - return (BOOLEAN) (MD5_Final (HashValue, (MD5_CTX *)Md5Context)); + return (BOOLEAN) (MD5_Final (HashValue, (MD5_CTX *) Md5Context)); } diff --git a/Cryptlib/Hash/CryptSha1.c b/Cryptlib/Hash/CryptSha1.c index 633028b..78c29c1 100644 --- a/Cryptlib/Hash/CryptSha1.c +++ b/Cryptlib/Hash/CryptSha1.c @@ -31,7 +31,7 @@ Sha1GetContextSize ( // // Retrieves OpenSSL SHA Context Size // - return (UINTN)(sizeof (SHA_CTX)); + return (UINTN) (sizeof (SHA_CTX)); } /** @@ -62,7 +62,7 @@ Sha1Init ( // // OpenSSL SHA-1 Context Initialization // - return (BOOLEAN) (SHA1_Init ((SHA_CTX *)Sha1Context)); + return (BOOLEAN) (SHA1_Init ((SHA_CTX *) Sha1Context)); } /** @@ -140,7 +140,7 @@ Sha1Update ( // // OpenSSL SHA-1 Hash Update // - return (BOOLEAN) (SHA1_Update ((SHA_CTX *)Sha1Context, Data, DataSize)); + return (BOOLEAN) (SHA1_Update ((SHA_CTX *) Sha1Context, Data, DataSize)); } /** @@ -180,5 +180,5 @@ Sha1Final ( // // OpenSSL SHA-1 Hash Finalization // - return (BOOLEAN) (SHA1_Final (HashValue, (SHA_CTX *)Sha1Context)); + return (BOOLEAN) (SHA1_Final (HashValue, (SHA_CTX *) Sha1Context)); } diff --git a/Cryptlib/Hash/CryptSha256.c b/Cryptlib/Hash/CryptSha256.c index ca0cb1a..56894ac 100644 --- a/Cryptlib/Hash/CryptSha256.c +++ b/Cryptlib/Hash/CryptSha256.c @@ -30,7 +30,7 @@ Sha256GetContextSize ( // // Retrieves OpenSSL SHA-256 Context Size // - return (UINTN)(sizeof (SHA256_CTX)); + return (UINTN) (sizeof (SHA256_CTX)); } /** @@ -61,7 +61,7 @@ Sha256Init ( // // OpenSSL SHA-256 Context Initialization // - return (BOOLEAN) (SHA256_Init ((SHA256_CTX *)Sha256Context)); + return (BOOLEAN) (SHA256_Init ((SHA256_CTX *) Sha256Context)); } /** @@ -139,7 +139,7 @@ Sha256Update ( // // OpenSSL SHA-256 Hash Update // - return (BOOLEAN) (SHA256_Update ((SHA256_CTX *)Sha256Context, Data, DataSize)); + return (BOOLEAN) (SHA256_Update ((SHA256_CTX *) Sha256Context, Data, DataSize)); } /** @@ -179,5 +179,5 @@ Sha256Final ( // // OpenSSL SHA-256 Hash Finalization // - return (BOOLEAN) (SHA256_Final (HashValue, (SHA256_CTX *)Sha256Context)); + return (BOOLEAN) (SHA256_Final (HashValue, (SHA256_CTX *) Sha256Context)); } diff --git a/Cryptlib/Hmac/CryptHmacMd5.c b/Cryptlib/Hmac/CryptHmacMd5.c index 0cdab7a..693cd32 100644 --- a/Cryptlib/Hmac/CryptHmacMd5.c +++ b/Cryptlib/Hmac/CryptHmacMd5.c @@ -30,7 +30,7 @@ HmacMd5GetContextSize ( // // Retrieves the OpenSSL HMAC-MD5 Context Size // - return (UINTN)(sizeof (HMAC_CTX)); + return (UINTN) (sizeof (HMAC_CTX)); } /** @@ -58,7 +58,7 @@ HmacMd5Init ( // // Check input parameters. // - if (HmacMd5Context == NULL) { + if (HmacMd5Context == NULL || KeySize > INT_MAX) { return FALSE; } diff --git a/Cryptlib/Hmac/CryptHmacSha1.c b/Cryptlib/Hmac/CryptHmacSha1.c index 58da2f3..881d26c 100644 --- a/Cryptlib/Hmac/CryptHmacSha1.c +++ b/Cryptlib/Hmac/CryptHmacSha1.c @@ -30,7 +30,7 @@ HmacSha1GetContextSize ( // // Retrieves the OpenSSL HMAC-SHA1 Context Size // - return (UINTN)(sizeof (HMAC_CTX)); + return (UINTN) (sizeof (HMAC_CTX)); } /** @@ -58,7 +58,7 @@ HmacSha1Init ( // // Check input parameters. // - if (HmacSha1Context == NULL) { + if (HmacSha1Context == NULL || KeySize > INT_MAX) { return FALSE; } diff --git a/Cryptlib/InternalCryptLib.h b/Cryptlib/InternalCryptLib.h index b047626..35a8eb1 100644 --- a/Cryptlib/InternalCryptLib.h +++ b/Cryptlib/InternalCryptLib.h @@ -21,6 +21,8 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include #include +#include "OpenSslSupport.h" + // // Environment Setting for OpenSSL-based UEFI Crypto Library. // @@ -28,25 +30,5 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #define OPENSSL_SYSNAME_UWIN #endif -/** - Pop single certificate from STACK_OF(X509). - - If X509Stack, Cert, or CertSize is NULL, then return FALSE. - - @param[in] X509Stack Pointer to a X509 stack object. - @param[out] Cert Pointer to a X509 certificate. - @param[out] CertSize Length of output X509 certificate in bytes. - - @retval TRUE The X509 stack pop succeeded. - @retval FALSE The pop operation failed. - -**/ -BOOLEAN -X509PopCertificate ( - IN VOID *X509Stack, - OUT UINT8 **Cert, - OUT UINTN *CertSize - ); - #endif diff --git a/Cryptlib/Library/BaseCryptLib.h b/Cryptlib/Library/BaseCryptLib.h index 0f4b026..715a8e2 100644 --- a/Cryptlib/Library/BaseCryptLib.h +++ b/Cryptlib/Library/BaseCryptLib.h @@ -1400,7 +1400,7 @@ RsaPkcs1Verify ( IN VOID *RsaContext, IN CONST UINT8 *MessageHash, IN UINTN HashSize, - IN UINT8 *Signature, + IN CONST UINT8 *Signature, IN UINTN SigSize ); diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile index 0890838..a05a4db 100644 --- a/Cryptlib/Makefile +++ b/Cryptlib/Makefile @@ -27,7 +27,8 @@ OBJS = Hash/CryptMd4.o \ Cipher/CryptTdes.o \ Cipher/CryptArc4.o \ Rand/CryptRand.o \ - Pk/CryptRsa.o \ + Pk/CryptRsaBasic.o \ + Pk/CryptRsaExt.o \ Pk/CryptPkcs7.o \ Pk/CryptDh.o \ Pk/CryptX509.o \ diff --git a/Cryptlib/Pem/CryptPem.c b/Cryptlib/Pem/CryptPem.c index 2c3a97b..51e648b 100644 --- a/Cryptlib/Pem/CryptPem.c +++ b/Cryptlib/Pem/CryptPem.c @@ -1,7 +1,7 @@ /** @file PEM (Privacy Enhanced Mail) Format Handler Wrapper Implementation over OpenSSL. -Copyright (c) 2010 - 2012, Intel Corporation. All rights reserved.
+Copyright (c) 2010 - 2013, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -36,7 +36,7 @@ PasswordCallback ( { INTN KeyLength; - ZeroMem ((VOID *)Buf, (UINTN)Size); + ZeroMem ((VOID *) Buf, (UINTN) Size); if (Key != NULL) { // // Duplicate key phrase directly. @@ -86,31 +86,41 @@ RsaGetPrivateKeyFromPem ( return FALSE; } - Status = FALSE; - PemBio = NULL; - // // Add possible block-cipher descriptor for PEM data decryption. // NOTE: Only support most popular ciphers (3DES, AES) for the encrypted PEM. // - EVP_add_cipher (EVP_des_ede3_cbc()); - EVP_add_cipher (EVP_aes_128_cbc()); - EVP_add_cipher (EVP_aes_192_cbc()); - EVP_add_cipher (EVP_aes_256_cbc()); + if (EVP_add_cipher (EVP_des_ede3_cbc ()) == 0) { + return FALSE; + } + if (EVP_add_cipher (EVP_aes_128_cbc ()) == 0) { + return FALSE; + } + if (EVP_add_cipher (EVP_aes_192_cbc ()) == 0) { + return FALSE; + } + if (EVP_add_cipher (EVP_aes_256_cbc ()) == 0) { + return FALSE; + } + + Status = FALSE; // // Read encrypted PEM Data. // PemBio = BIO_new (BIO_s_mem ()); - BIO_write (PemBio, PemData, (int)PemSize); if (PemBio == NULL) { goto _Exit; } + if (BIO_write (PemBio, PemData, (int) PemSize) <= 0) { + goto _Exit; + } + // // Retrieve RSA Private Key from encrypted PEM data. // - *RsaContext = PEM_read_bio_RSAPrivateKey (PemBio, NULL, (pem_password_cb *)&PasswordCallback, (void *)Password); + *RsaContext = PEM_read_bio_RSAPrivateKey (PemBio, NULL, (pem_password_cb *) &PasswordCallback, (void *) Password); if (*RsaContext != NULL) { Status = TRUE; } diff --git a/Cryptlib/Pk/CryptAuthenticode.c b/Cryptlib/Pk/CryptAuthenticode.c index a4f62b2..bb5f6d4 100644 --- a/Cryptlib/Pk/CryptAuthenticode.c +++ b/Cryptlib/Pk/CryptAuthenticode.c @@ -26,6 +26,12 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include #include +// +// OID ASN.1 Value for SPC_INDIRECT_DATA_OBJID +// +UINT8 mSpcIndirectOidValue[] = { + 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x04 + }; /** Verifies the validility of a PE/COFF Authenticode Signature as described in "Windows @@ -70,6 +76,7 @@ AuthenticodeVerify ( UINT8 *SpcIndirectDataContent; UINT8 Asn1Byte; UINTN ContentSize; + UINT8 *SpcIndirectDataOid; // // Check input parameters. @@ -106,6 +113,19 @@ AuthenticodeVerify ( // some authenticode-specific structure. Use opaque ASN.1 string to retrieve // PKCS#7 ContentInfo here. // + SpcIndirectDataOid = (UINT8 *)(Pkcs7->d.sign->contents->type->data); + if (CompareMem ( + SpcIndirectDataOid, + mSpcIndirectOidValue, + sizeof (mSpcIndirectOidValue) + ) != 0) { + // + // Un-matched SPC_INDIRECT_DATA_OBJID. + // + goto _Exit; + } + + SpcIndirectDataContent = (UINT8 *)(Pkcs7->d.sign->contents->d.other->value.asn1_string->data); // diff --git a/Cryptlib/Pk/CryptDh.c b/Cryptlib/Pk/CryptDh.c index 20f1346..942b3d1 100644 --- a/Cryptlib/Pk/CryptDh.c +++ b/Cryptlib/Pk/CryptDh.c @@ -32,7 +32,7 @@ DhNew ( // // Allocates & Initializes DH Context by OpenSSL DH_new() // - return (VOID *)DH_new (); + return (VOID *) DH_new (); } /** @@ -52,7 +52,7 @@ DhFree ( // // Free OpenSSL DH Context // - DH_free ((DH *)DhContext); + DH_free ((DH *) DhContext); } /** @@ -91,7 +91,7 @@ DhGenerateParameter ( // // Check input parameters. // - if (DhContext == NULL || Prime == NULL) { + if (DhContext == NULL || Prime == NULL || PrimeLength > INT_MAX) { return FALSE; } @@ -139,12 +139,13 @@ DhSetParameter ( IN CONST UINT8 *Prime ) { - DH *Dh; + DH *Dh; + BIGNUM *Bn; // // Check input parameters. // - if (DhContext == NULL || Prime == NULL) { + if (DhContext == NULL || Prime == NULL || PrimeLength > INT_MAX) { return FALSE; } @@ -152,14 +153,46 @@ DhSetParameter ( return FALSE; } - Dh = (DH *) DhContext; - Dh->p = BN_new(); - Dh->g = BN_new(); + Bn = NULL; - BN_bin2bn (Prime, (UINT32) (PrimeLength / 8), Dh->p); - BN_set_word (Dh->g, (UINT32) Generator); + Dh = (DH *) DhContext; + Dh->g = NULL; + Dh->p = BN_new (); + if (Dh->p == NULL) { + goto Error; + } + + Dh->g = BN_new (); + if (Dh->g == NULL) { + goto Error; + } + + Bn = BN_bin2bn (Prime, (UINT32) (PrimeLength / 8), Dh->p); + if (Bn == NULL) { + goto Error; + } + + if (BN_set_word (Dh->g, (UINT32) Generator) == 0) { + goto Error; + } return TRUE; + +Error: + + if (Dh->p != NULL) { + BN_free (Dh->p); + } + + if (Dh->g != NULL) { + BN_free (Dh->g); + } + + if (Bn != NULL) { + BN_free (Bn); + } + + return FALSE; } /** @@ -194,6 +227,7 @@ DhGenerateKey ( { BOOLEAN RetVal; DH *Dh; + INTN Size; // // Check input parameters. @@ -207,12 +241,17 @@ DhGenerateKey ( } Dh = (DH *) DhContext; - *PublicKeySize = 0; RetVal = (BOOLEAN) DH_generate_key (DhContext); if (RetVal) { + Size = BN_num_bytes (Dh->pub_key); + if ((Size > 0) && (*PublicKeySize < (UINTN) Size)) { + *PublicKeySize = Size; + return FALSE; + } + BN_bn2bin (Dh->pub_key, PublicKey); - *PublicKeySize = BN_num_bytes (Dh->pub_key); + *PublicKeySize = Size; } return RetVal; @@ -227,7 +266,8 @@ DhGenerateKey ( If DhContext is NULL, then return FALSE. If PeerPublicKey is NULL, then return FALSE. If KeySize is NULL, then return FALSE. - If KeySize is large enough but Key is NULL, then return FALSE. + If Key is NULL, then return FALSE. + If KeySize is not large enough, then return FALSE. @param[in, out] DhContext Pointer to the DH context. @param[in] PeerPublicKey Pointer to the peer's public key. @@ -252,23 +292,37 @@ DhComputeKey ( ) { BIGNUM *Bn; + INTN Size; // // Check input parameters. // - if (DhContext == NULL || PeerPublicKey == NULL || KeySize == NULL) { + if (DhContext == NULL || PeerPublicKey == NULL || KeySize == NULL || Key == NULL) { return FALSE; } - if (Key == NULL && *KeySize != 0) { + if (PeerPublicKeySize > INT_MAX) { return FALSE; } Bn = BN_bin2bn (PeerPublicKey, (UINT32) PeerPublicKeySize, NULL); + if (Bn == NULL) { + return FALSE; + } - *KeySize = (BOOLEAN) DH_compute_key (Key, Bn, DhContext); + Size = DH_compute_key (Key, Bn, DhContext); + if (Size < 0) { + BN_free (Bn); + return FALSE; + } + if (*KeySize < (UINTN) Size) { + *KeySize = Size; + BN_free (Bn); + return FALSE; + } + + *KeySize = Size; BN_free (Bn); - return TRUE; } diff --git a/Cryptlib/Pk/CryptRsa.c b/Cryptlib/Pk/CryptRsa.c deleted file mode 100644 index 0483353..0000000 --- a/Cryptlib/Pk/CryptRsa.c +++ /dev/null @@ -1,722 +0,0 @@ -/** @file - RSA Asymmetric Cipher Wrapper Implementation over OpenSSL. - -Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include "InternalCryptLib.h" - -#include -#include - -// -// ASN.1 value for Hash Algorithm ID with the Distringuished Encoding Rules (DER) -// Refer to Section 9.2 of PKCS#1 v2.1 -// -CONST UINT8 Asn1IdMd5[] = { - 0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, - 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10 - }; - -CONST UINT8 Asn1IdSha1[] = { - 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, - 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14 - }; - -CONST UINT8 Asn1IdSha256[] = { - 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, - 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, - 0x00, 0x04, 0x20 - }; - - -/** - Allocates and initializes one RSA context for subsequent use. - - @return Pointer to the RSA context that has been initialized. - If the allocations fails, RsaNew() returns NULL. - -**/ -VOID * -EFIAPI -RsaNew ( - VOID - ) -{ - // - // Allocates & Initializes RSA Context by OpenSSL RSA_new() - // - return (VOID *)RSA_new (); -} - -/** - Release the specified RSA context. - - If RsaContext is NULL, then return FALSE. - - @param[in] RsaContext Pointer to the RSA context to be released. - -**/ -VOID -EFIAPI -RsaFree ( - IN VOID *RsaContext - ) -{ - // - // Free OpenSSL RSA Context - // - RSA_free ((RSA *)RsaContext); -} - -/** - Sets the tag-designated key component into the established RSA context. - - This function sets the tag-designated RSA key component into the established - RSA context from the user-specified non-negative integer (octet string format - represented in RSA PKCS#1). - If BigNumber is NULL, then the specified key componenet in RSA context is cleared. - - If RsaContext is NULL, then return FALSE. - - @param[in, out] RsaContext Pointer to RSA context being set. - @param[in] KeyTag Tag of RSA key component being set. - @param[in] BigNumber Pointer to octet integer buffer. - If NULL, then the specified key componenet in RSA - context is cleared. - @param[in] BnSize Size of big number buffer in bytes. - If BigNumber is NULL, then it is ignored. - - @retval TRUE RSA key component was set successfully. - @retval FALSE Invalid RSA key component tag. - -**/ -BOOLEAN -EFIAPI -RsaSetKey ( - IN OUT VOID *RsaContext, - IN RSA_KEY_TAG KeyTag, - IN CONST UINT8 *BigNumber, - IN UINTN BnSize - ) -{ - RSA *RsaKey; - - // - // Check input parameters. - // - if (RsaContext == NULL) { - return FALSE; - } - - RsaKey = (RSA *)RsaContext; - // - // Set RSA Key Components by converting octet string to OpenSSL BN representation. - // NOTE: For RSA public key (used in signature verification), only public components - // (N, e) are needed. - // - switch (KeyTag) { - - // - // RSA Public Modulus (N) - // - case RsaKeyN: - if (RsaKey->n != NULL) { - BN_free (RsaKey->n); - } - RsaKey->n = NULL; - if (BigNumber == NULL) { - break; - } - RsaKey->n = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->n); - break; - - // - // RSA Public Exponent (e) - // - case RsaKeyE: - if (RsaKey->e != NULL) { - BN_free (RsaKey->e); - } - RsaKey->e = NULL; - if (BigNumber == NULL) { - break; - } - RsaKey->e = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->e); - break; - - // - // RSA Private Exponent (d) - // - case RsaKeyD: - if (RsaKey->d != NULL) { - BN_free (RsaKey->d); - } - RsaKey->d = NULL; - if (BigNumber == NULL) { - break; - } - RsaKey->d = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->d); - break; - - // - // RSA Secret Prime Factor of Modulus (p) - // - case RsaKeyP: - if (RsaKey->p != NULL) { - BN_free (RsaKey->p); - } - RsaKey->p = NULL; - if (BigNumber == NULL) { - break; - } - RsaKey->p = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->p); - break; - - // - // RSA Secret Prime Factor of Modules (q) - // - case RsaKeyQ: - if (RsaKey->q != NULL) { - BN_free (RsaKey->q); - } - RsaKey->q = NULL; - if (BigNumber == NULL) { - break; - } - RsaKey->q = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->q); - break; - - // - // p's CRT Exponent (== d mod (p - 1)) - // - case RsaKeyDp: - if (RsaKey->dmp1 != NULL) { - BN_free (RsaKey->dmp1); - } - RsaKey->dmp1 = NULL; - if (BigNumber == NULL) { - break; - } - RsaKey->dmp1 = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->dmp1); - break; - - // - // q's CRT Exponent (== d mod (q - 1)) - // - case RsaKeyDq: - if (RsaKey->dmq1 != NULL) { - BN_free (RsaKey->dmq1); - } - RsaKey->dmq1 = NULL; - if (BigNumber == NULL) { - break; - } - RsaKey->dmq1 = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->dmq1); - break; - - // - // The CRT Coefficient (== 1/q mod p) - // - case RsaKeyQInv: - if (RsaKey->iqmp != NULL) { - BN_free (RsaKey->iqmp); - } - RsaKey->iqmp = NULL; - if (BigNumber == NULL) { - break; - } - RsaKey->iqmp = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->iqmp); - break; - - default: - return FALSE; - } - - return TRUE; -} - -/** - Gets the tag-designated RSA key component from the established RSA context. - - This function retrieves the tag-designated RSA key component from the - established RSA context as a non-negative integer (octet string format - represented in RSA PKCS#1). - If specified key component has not been set or has been cleared, then returned - BnSize is set to 0. - If the BigNumber buffer is too small to hold the contents of the key, FALSE - is returned and BnSize is set to the required buffer size to obtain the key. - - If RsaContext is NULL, then return FALSE. - If BnSize is NULL, then return FALSE. - If BnSize is large enough but BigNumber is NULL, then return FALSE. - - @param[in, out] RsaContext Pointer to RSA context being set. - @param[in] KeyTag Tag of RSA key component being set. - @param[out] BigNumber Pointer to octet integer buffer. - @param[in, out] BnSize On input, the size of big number buffer in bytes. - On output, the size of data returned in big number buffer in bytes. - - @retval TRUE RSA key component was retrieved successfully. - @retval FALSE Invalid RSA key component tag. - @retval FALSE BnSize is too small. - -**/ -BOOLEAN -EFIAPI -RsaGetKey ( - IN OUT VOID *RsaContext, - IN RSA_KEY_TAG KeyTag, - OUT UINT8 *BigNumber, - IN OUT UINTN *BnSize - ) -{ - RSA *RsaKey; - BIGNUM *BnKey; - UINTN Size; - - // - // Check input parameters. - // - if (RsaContext == NULL || BnSize == NULL) { - return FALSE; - } - - RsaKey = (RSA *) RsaContext; - Size = *BnSize; - *BnSize = 0; - - switch (KeyTag) { - - // - // RSA Public Modulus (N) - // - case RsaKeyN: - if (RsaKey->n == NULL) { - return TRUE; - } - BnKey = RsaKey->n; - break; - - // - // RSA Public Exponent (e) - // - case RsaKeyE: - if (RsaKey->e == NULL) { - return TRUE; - } - BnKey = RsaKey->e; - break; - - // - // RSA Private Exponent (d) - // - case RsaKeyD: - if (RsaKey->d == NULL) { - return TRUE; - } - BnKey = RsaKey->d; - break; - - // - // RSA Secret Prime Factor of Modulus (p) - // - case RsaKeyP: - if (RsaKey->p == NULL) { - return TRUE; - } - BnKey = RsaKey->p; - break; - - // - // RSA Secret Prime Factor of Modules (q) - // - case RsaKeyQ: - if (RsaKey->q == NULL) { - return TRUE; - } - BnKey = RsaKey->q; - break; - - // - // p's CRT Exponent (== d mod (p - 1)) - // - case RsaKeyDp: - if (RsaKey->dmp1 == NULL) { - return TRUE; - } - BnKey = RsaKey->dmp1; - break; - - // - // q's CRT Exponent (== d mod (q - 1)) - // - case RsaKeyDq: - if (RsaKey->dmq1 == NULL) { - return TRUE; - } - BnKey = RsaKey->dmq1; - break; - - // - // The CRT Coefficient (== 1/q mod p) - // - case RsaKeyQInv: - if (RsaKey->iqmp == NULL) { - return TRUE; - } - BnKey = RsaKey->iqmp; - break; - - default: - return FALSE; - } - - *BnSize = Size; - Size = BN_num_bytes (BnKey); - - if (*BnSize < Size) { - *BnSize = Size; - return FALSE; - } - - if (BigNumber == NULL) { - return FALSE; - } - *BnSize = BN_bn2bin (BnKey, BigNumber) ; - - return TRUE; -} - -/** - Generates RSA key components. - - This function generates RSA key components. It takes RSA public exponent E and - length in bits of RSA modulus N as input, and generates all key components. - If PublicExponent is NULL, the default RSA public exponent (0x10001) will be used. - - Before this function can be invoked, pseudorandom number generator must be correctly - initialized by RandomSeed(). - - If RsaContext is NULL, then return FALSE. - - @param[in, out] RsaContext Pointer to RSA context being set. - @param[in] ModulusLength Length of RSA modulus N in bits. - @param[in] PublicExponent Pointer to RSA public exponent. - @param[in] PublicExponentSize Size of RSA public exponent buffer in bytes. - - @retval TRUE RSA key component was generated successfully. - @retval FALSE Invalid RSA key component tag. - -**/ -BOOLEAN -EFIAPI -RsaGenerateKey ( - IN OUT VOID *RsaContext, - IN UINTN ModulusLength, - IN CONST UINT8 *PublicExponent, - IN UINTN PublicExponentSize - ) -{ - BIGNUM *KeyE; - BOOLEAN RetVal; - - // - // Check input parameters. - // - if (RsaContext == NULL) { - return FALSE; - } - - KeyE = BN_new (); - if (PublicExponent == NULL) { - BN_set_word (KeyE, 0x10001); - } else { - BN_bin2bn (PublicExponent, (UINT32) PublicExponentSize, KeyE); - } - - RetVal = FALSE; - if (RSA_generate_key_ex ((RSA *) RsaContext, (UINT32) ModulusLength, KeyE, NULL) == 1) { - RetVal = TRUE; - } - - BN_free (KeyE); - return RetVal; -} - -/** - Validates key components of RSA context. - - This function validates key compoents of RSA context in following aspects: - - Whether p is a prime - - Whether q is a prime - - Whether n = p * q - - Whether d*e = 1 mod lcm(p-1,q-1) - - If RsaContext is NULL, then return FALSE. - - @param[in] RsaContext Pointer to RSA context to check. - - @retval TRUE RSA key components are valid. - @retval FALSE RSA key components are not valid. - -**/ -BOOLEAN -EFIAPI -RsaCheckKey ( - IN VOID *RsaContext - ) -{ - UINTN Reason; - - // - // Check input parameters. - // - if (RsaContext == NULL) { - return FALSE; - } - - if (RSA_check_key ((RSA *) RsaContext) != 1) { - Reason = ERR_GET_REASON (ERR_peek_last_error ()); - if (Reason == RSA_R_P_NOT_PRIME || - Reason == RSA_R_Q_NOT_PRIME || - Reason == RSA_R_N_DOES_NOT_EQUAL_P_Q || - Reason == RSA_R_D_E_NOT_CONGRUENT_TO_1) { - return FALSE; - } - } - - return TRUE; -} - -/** - Performs the PKCS1-v1_5 encoding methods defined in RSA PKCS #1. - - @param Message Message buffer to be encoded. - @param MessageSize Size of message buffer in bytes. - @param DigestInfo Pointer to buffer of digest info for output. - - @return Size of DigestInfo in bytes. - -**/ -UINTN -DigestInfoEncoding ( - IN CONST UINT8 *Message, - IN UINTN MessageSize, - OUT UINT8 *DigestInfo - ) -{ - CONST UINT8 *HashDer; - UINTN DerSize; - - // - // Check input parameters. - // - if (Message == NULL || DigestInfo == NULL) { - return FALSE; - } - - // - // The original message length is used to determine the hash algorithm since - // message is digest value hashed by the specified algorithm. - // - switch (MessageSize) { - case MD5_DIGEST_SIZE: - HashDer = Asn1IdMd5; - DerSize = sizeof (Asn1IdMd5); - break; - - case SHA1_DIGEST_SIZE: - HashDer = Asn1IdSha1; - DerSize = sizeof (Asn1IdSha1); - break; - - case SHA256_DIGEST_SIZE: - HashDer = Asn1IdSha256; - DerSize = sizeof (Asn1IdSha256); - break; - - default: - return FALSE; - } - - CopyMem (DigestInfo, HashDer, DerSize); - CopyMem (DigestInfo + DerSize, Message, MessageSize); - - return (DerSize + MessageSize); -} - -/** - Carries out the RSA-SSA signature generation with EMSA-PKCS1-v1_5 encoding scheme. - - This function carries out the RSA-SSA signature generation with EMSA-PKCS1-v1_5 encoding scheme defined in - RSA PKCS#1. - If the Signature buffer is too small to hold the contents of signature, FALSE - is returned and SigSize is set to the required buffer size to obtain the signature. - - If RsaContext is NULL, then return FALSE. - If MessageHash is NULL, then return FALSE. - If HashSize is not equal to the size of MD5, SHA-1 or SHA-256 digest, then return FALSE. - If SigSize is large enough but Signature is NULL, then return FALSE. - - @param[in] RsaContext Pointer to RSA context for signature generation. - @param[in] MessageHash Pointer to octet message hash to be signed. - @param[in] HashSize Size of the message hash in bytes. - @param[out] Signature Pointer to buffer to receive RSA PKCS1-v1_5 signature. - @param[in, out] SigSize On input, the size of Signature buffer in bytes. - On output, the size of data returned in Signature buffer in bytes. - - @retval TRUE Signature successfully generated in PKCS1-v1_5. - @retval FALSE Signature generation failed. - @retval FALSE SigSize is too small. - -**/ -BOOLEAN -EFIAPI -RsaPkcs1Sign ( - IN VOID *RsaContext, - IN CONST UINT8 *MessageHash, - IN UINTN HashSize, - OUT UINT8 *Signature, - IN OUT UINTN *SigSize - ) -{ - RSA *Rsa; - UINTN Size; - INTN ReturnVal; - - // - // Check input parameters. - // - if (RsaContext == NULL || MessageHash == NULL || - (HashSize != MD5_DIGEST_SIZE && HashSize != SHA1_DIGEST_SIZE && HashSize != SHA256_DIGEST_SIZE)) { - return FALSE; - } - - Rsa = (RSA *) RsaContext; - Size = BN_num_bytes (Rsa->n); - - if (*SigSize < Size) { - *SigSize = Size; - return FALSE; - } - - if (Signature == NULL) { - return FALSE; - } - - Size = DigestInfoEncoding (MessageHash, HashSize, Signature); - - ReturnVal = RSA_private_encrypt ( - (UINT32) Size, - Signature, - Signature, - Rsa, - RSA_PKCS1_PADDING - ); - - if (ReturnVal < (INTN) Size) { - return FALSE; - } - - *SigSize = (UINTN)ReturnVal; - return TRUE; -} - -/** - Verifies the RSA-SSA signature with EMSA-PKCS1-v1_5 encoding scheme defined in - RSA PKCS#1. - - If RsaContext is NULL, then return FALSE. - If MessageHash is NULL, then return FALSE. - If Signature is NULL, then return FALSE. - If HashSize is not equal to the size of MD5, SHA-1 or SHA-256 digest, then return FALSE. - - @param[in] RsaContext Pointer to RSA context for signature verification. - @param[in] MessageHash Pointer to octet message hash to be checked. - @param[in] HashSize Size of the message hash in bytes. - @param[in] Signature Pointer to RSA PKCS1-v1_5 signature to be verified. - @param[in] SigSize Size of signature in bytes. - - @retval TRUE Valid signature encoded in PKCS1-v1_5. - @retval FALSE Invalid signature or invalid RSA context. - -**/ -BOOLEAN -EFIAPI -RsaPkcs1Verify ( - IN VOID *RsaContext, - IN CONST UINT8 *MessageHash, - IN UINTN HashSize, - IN UINT8 *Signature, - IN UINTN SigSize - ) -{ - INTN Length; - - // - // Check input parameters. - // - if (RsaContext == NULL || MessageHash == NULL || Signature == NULL) { - return FALSE; - } - - - // - // Check for unsupported hash size: - // Only MD5, SHA-1 or SHA-256 digest size is supported - // - if (HashSize != MD5_DIGEST_SIZE && HashSize != SHA1_DIGEST_SIZE && HashSize != SHA256_DIGEST_SIZE) { - return FALSE; - } - - // - // RSA PKCS#1 Signature Decoding using OpenSSL RSA Decryption with Public Key - // - Length = RSA_public_decrypt ( - (UINT32) SigSize, - Signature, - Signature, - RsaContext, - RSA_PKCS1_PADDING - ); - - // - // Invalid RSA Key or PKCS#1 Padding Checking Failed (if Length < 0) - // NOTE: Length should be the addition of HashSize and some DER value. - // Ignore more strict length checking here. - // - if (Length < (INTN) HashSize) { - return FALSE; - } - - // - // Validate the MessageHash and Decoded Signature - // NOTE: The decoded Signature should be the DER encoding of the DigestInfo value - // DigestInfo ::= SEQUENCE { - // digestAlgorithm AlgorithmIdentifier - // digest OCTET STRING - // } - // Then Memory Comparing should skip the DER value of the underlying SEQUENCE - // type and AlgorithmIdentifier. - // - if (CompareMem (MessageHash, Signature + Length - HashSize, HashSize) == 0) { - // - // Valid RSA PKCS#1 Signature - // - return TRUE; - } else { - // - // Failed to verification - // - return FALSE; - } -} diff --git a/Cryptlib/Pk/CryptRsaBasic.c b/Cryptlib/Pk/CryptRsaBasic.c new file mode 100644 index 0000000..3e43098 --- /dev/null +++ b/Cryptlib/Pk/CryptRsaBasic.c @@ -0,0 +1,335 @@ +/** @file + RSA Asymmetric Cipher Wrapper Implementation over OpenSSL. + + This file implements following APIs which provide basic capabilities for RSA: + 1) RsaNew + 2) RsaFree + 3) RsaSetKey + 4) RsaPkcs1Verify + +Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include "InternalCryptLib.h" + +#include +#include + +/** + Allocates and initializes one RSA context for subsequent use. + + @return Pointer to the RSA context that has been initialized. + If the allocations fails, RsaNew() returns NULL. + +**/ +VOID * +EFIAPI +RsaNew ( + VOID + ) +{ + // + // Allocates & Initializes RSA Context by OpenSSL RSA_new() + // + return (VOID *) RSA_new (); +} + +/** + Release the specified RSA context. + + @param[in] RsaContext Pointer to the RSA context to be released. + +**/ +VOID +EFIAPI +RsaFree ( + IN VOID *RsaContext + ) +{ + // + // Free OpenSSL RSA Context + // + RSA_free ((RSA *) RsaContext); +} + +/** + Sets the tag-designated key component into the established RSA context. + + This function sets the tag-designated RSA key component into the established + RSA context from the user-specified non-negative integer (octet string format + represented in RSA PKCS#1). + If BigNumber is NULL, then the specified key componenet in RSA context is cleared. + + If RsaContext is NULL, then return FALSE. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] KeyTag Tag of RSA key component being set. + @param[in] BigNumber Pointer to octet integer buffer. + If NULL, then the specified key componenet in RSA + context is cleared. + @param[in] BnSize Size of big number buffer in bytes. + If BigNumber is NULL, then it is ignored. + + @retval TRUE RSA key component was set successfully. + @retval FALSE Invalid RSA key component tag. + +**/ +BOOLEAN +EFIAPI +RsaSetKey ( + IN OUT VOID *RsaContext, + IN RSA_KEY_TAG KeyTag, + IN CONST UINT8 *BigNumber, + IN UINTN BnSize + ) +{ + RSA *RsaKey; + + // + // Check input parameters. + // + if (RsaContext == NULL || BnSize > INT_MAX) { + return FALSE; + } + + RsaKey = (RSA *) RsaContext; + // + // Set RSA Key Components by converting octet string to OpenSSL BN representation. + // NOTE: For RSA public key (used in signature verification), only public components + // (N, e) are needed. + // + switch (KeyTag) { + + // + // RSA Public Modulus (N) + // + case RsaKeyN: + if (RsaKey->n != NULL) { + BN_free (RsaKey->n); + } + RsaKey->n = NULL; + if (BigNumber == NULL) { + break; + } + RsaKey->n = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->n); + if (RsaKey->n == NULL) { + return FALSE; + } + + break; + + // + // RSA Public Exponent (e) + // + case RsaKeyE: + if (RsaKey->e != NULL) { + BN_free (RsaKey->e); + } + RsaKey->e = NULL; + if (BigNumber == NULL) { + break; + } + RsaKey->e = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->e); + if (RsaKey->e == NULL) { + return FALSE; + } + + break; + + // + // RSA Private Exponent (d) + // + case RsaKeyD: + if (RsaKey->d != NULL) { + BN_free (RsaKey->d); + } + RsaKey->d = NULL; + if (BigNumber == NULL) { + break; + } + RsaKey->d = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->d); + if (RsaKey->d == NULL) { + return FALSE; + } + + break; + + // + // RSA Secret Prime Factor of Modulus (p) + // + case RsaKeyP: + if (RsaKey->p != NULL) { + BN_free (RsaKey->p); + } + RsaKey->p = NULL; + if (BigNumber == NULL) { + break; + } + RsaKey->p = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->p); + if (RsaKey->p == NULL) { + return FALSE; + } + + break; + + // + // RSA Secret Prime Factor of Modules (q) + // + case RsaKeyQ: + if (RsaKey->q != NULL) { + BN_free (RsaKey->q); + } + RsaKey->q = NULL; + if (BigNumber == NULL) { + break; + } + RsaKey->q = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->q); + if (RsaKey->q == NULL) { + return FALSE; + } + + break; + + // + // p's CRT Exponent (== d mod (p - 1)) + // + case RsaKeyDp: + if (RsaKey->dmp1 != NULL) { + BN_free (RsaKey->dmp1); + } + RsaKey->dmp1 = NULL; + if (BigNumber == NULL) { + break; + } + RsaKey->dmp1 = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->dmp1); + if (RsaKey->dmp1 == NULL) { + return FALSE; + } + + break; + + // + // q's CRT Exponent (== d mod (q - 1)) + // + case RsaKeyDq: + if (RsaKey->dmq1 != NULL) { + BN_free (RsaKey->dmq1); + } + RsaKey->dmq1 = NULL; + if (BigNumber == NULL) { + break; + } + RsaKey->dmq1 = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->dmq1); + if (RsaKey->dmq1 == NULL) { + return FALSE; + } + + break; + + // + // The CRT Coefficient (== 1/q mod p) + // + case RsaKeyQInv: + if (RsaKey->iqmp != NULL) { + BN_free (RsaKey->iqmp); + } + RsaKey->iqmp = NULL; + if (BigNumber == NULL) { + break; + } + RsaKey->iqmp = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->iqmp); + if (RsaKey->iqmp == NULL) { + return FALSE; + } + + break; + + default: + return FALSE; + } + + return TRUE; +} + +/** + Verifies the RSA-SSA signature with EMSA-PKCS1-v1_5 encoding scheme defined in + RSA PKCS#1. + + If RsaContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If Signature is NULL, then return FALSE. + If HashSize is not equal to the size of MD5, SHA-1 or SHA-256 digest, then return FALSE. + + @param[in] RsaContext Pointer to RSA context for signature verification. + @param[in] MessageHash Pointer to octet message hash to be checked. + @param[in] HashSize Size of the message hash in bytes. + @param[in] Signature Pointer to RSA PKCS1-v1_5 signature to be verified. + @param[in] SigSize Size of signature in bytes. + + @retval TRUE Valid signature encoded in PKCS1-v1_5. + @retval FALSE Invalid signature or invalid RSA context. + +**/ +BOOLEAN +EFIAPI +RsaPkcs1Verify ( + IN VOID *RsaContext, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + IN CONST UINT8 *Signature, + IN UINTN SigSize + ) +{ + INT32 DigestType; + UINT8 *SigBuf; + + // + // Check input parameters. + // + if (RsaContext == NULL || MessageHash == NULL || Signature == NULL) { + return FALSE; + } + + if (SigSize > INT_MAX || SigSize == 0) { + return FALSE; + } + + // + // Determine the message digest algorithm according to digest size. + // Only MD5, SHA-1 or SHA-256 algorithm is supported. + // + switch (HashSize) { + case MD5_DIGEST_SIZE: + DigestType = NID_md5; + break; + + case SHA1_DIGEST_SIZE: + DigestType = NID_sha1; + break; + + case SHA256_DIGEST_SIZE: + DigestType = NID_sha256; + break; + + default: + return FALSE; + } + + SigBuf = (UINT8 *) Signature; + return (BOOLEAN) RSA_verify ( + DigestType, + MessageHash, + (UINT32) HashSize, + SigBuf, + (UINT32) SigSize, + (RSA *) RsaContext + ); +} diff --git a/Cryptlib/Pk/CryptRsaExt.c b/Cryptlib/Pk/CryptRsaExt.c new file mode 100644 index 0000000..5c21d12 --- /dev/null +++ b/Cryptlib/Pk/CryptRsaExt.c @@ -0,0 +1,377 @@ +/** @file + RSA Asymmetric Cipher Wrapper Implementation over OpenSSL. + + This file implements following APIs which provide more capabilities for RSA: + 1) RsaGetKey + 2) RsaGenerateKey + 3) RsaCheckKey + 4) RsaPkcs1Sign + +Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include "InternalCryptLib.h" + +#include +#include +#include + +/** + Gets the tag-designated RSA key component from the established RSA context. + + This function retrieves the tag-designated RSA key component from the + established RSA context as a non-negative integer (octet string format + represented in RSA PKCS#1). + If specified key component has not been set or has been cleared, then returned + BnSize is set to 0. + If the BigNumber buffer is too small to hold the contents of the key, FALSE + is returned and BnSize is set to the required buffer size to obtain the key. + + If RsaContext is NULL, then return FALSE. + If BnSize is NULL, then return FALSE. + If BnSize is large enough but BigNumber is NULL, then return FALSE. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] KeyTag Tag of RSA key component being set. + @param[out] BigNumber Pointer to octet integer buffer. + @param[in, out] BnSize On input, the size of big number buffer in bytes. + On output, the size of data returned in big number buffer in bytes. + + @retval TRUE RSA key component was retrieved successfully. + @retval FALSE Invalid RSA key component tag. + @retval FALSE BnSize is too small. + +**/ +BOOLEAN +EFIAPI +RsaGetKey ( + IN OUT VOID *RsaContext, + IN RSA_KEY_TAG KeyTag, + OUT UINT8 *BigNumber, + IN OUT UINTN *BnSize + ) +{ + RSA *RsaKey; + BIGNUM *BnKey; + UINTN Size; + + // + // Check input parameters. + // + if (RsaContext == NULL || BnSize == NULL) { + return FALSE; + } + + RsaKey = (RSA *) RsaContext; + Size = *BnSize; + *BnSize = 0; + + switch (KeyTag) { + + // + // RSA Public Modulus (N) + // + case RsaKeyN: + if (RsaKey->n == NULL) { + return TRUE; + } + BnKey = RsaKey->n; + break; + + // + // RSA Public Exponent (e) + // + case RsaKeyE: + if (RsaKey->e == NULL) { + return TRUE; + } + BnKey = RsaKey->e; + break; + + // + // RSA Private Exponent (d) + // + case RsaKeyD: + if (RsaKey->d == NULL) { + return TRUE; + } + BnKey = RsaKey->d; + break; + + // + // RSA Secret Prime Factor of Modulus (p) + // + case RsaKeyP: + if (RsaKey->p == NULL) { + return TRUE; + } + BnKey = RsaKey->p; + break; + + // + // RSA Secret Prime Factor of Modules (q) + // + case RsaKeyQ: + if (RsaKey->q == NULL) { + return TRUE; + } + BnKey = RsaKey->q; + break; + + // + // p's CRT Exponent (== d mod (p - 1)) + // + case RsaKeyDp: + if (RsaKey->dmp1 == NULL) { + return TRUE; + } + BnKey = RsaKey->dmp1; + break; + + // + // q's CRT Exponent (== d mod (q - 1)) + // + case RsaKeyDq: + if (RsaKey->dmq1 == NULL) { + return TRUE; + } + BnKey = RsaKey->dmq1; + break; + + // + // The CRT Coefficient (== 1/q mod p) + // + case RsaKeyQInv: + if (RsaKey->iqmp == NULL) { + return TRUE; + } + BnKey = RsaKey->iqmp; + break; + + default: + return FALSE; + } + + *BnSize = Size; + Size = BN_num_bytes (BnKey); + + if (*BnSize < Size) { + *BnSize = Size; + return FALSE; + } + + if (BigNumber == NULL) { + return FALSE; + } + *BnSize = BN_bn2bin (BnKey, BigNumber) ; + + return TRUE; +} + +/** + Generates RSA key components. + + This function generates RSA key components. It takes RSA public exponent E and + length in bits of RSA modulus N as input, and generates all key components. + If PublicExponent is NULL, the default RSA public exponent (0x10001) will be used. + + Before this function can be invoked, pseudorandom number generator must be correctly + initialized by RandomSeed(). + + If RsaContext is NULL, then return FALSE. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] ModulusLength Length of RSA modulus N in bits. + @param[in] PublicExponent Pointer to RSA public exponent. + @param[in] PublicExponentSize Size of RSA public exponent buffer in bytes. + + @retval TRUE RSA key component was generated successfully. + @retval FALSE Invalid RSA key component tag. + +**/ +BOOLEAN +EFIAPI +RsaGenerateKey ( + IN OUT VOID *RsaContext, + IN UINTN ModulusLength, + IN CONST UINT8 *PublicExponent, + IN UINTN PublicExponentSize + ) +{ + BIGNUM *KeyE; + BOOLEAN RetVal; + + // + // Check input parameters. + // + if (RsaContext == NULL || ModulusLength > INT_MAX || PublicExponentSize > INT_MAX) { + return FALSE; + } + + KeyE = BN_new (); + if (KeyE == NULL) { + return FALSE; + } + + RetVal = FALSE; + + if (PublicExponent == NULL) { + if (BN_set_word (KeyE, 0x10001) == 0) { + goto _Exit; + } + } else { + if (BN_bin2bn (PublicExponent, (UINT32) PublicExponentSize, KeyE) == NULL) { + goto _Exit; + } + } + + if (RSA_generate_key_ex ((RSA *) RsaContext, (UINT32) ModulusLength, KeyE, NULL) == 1) { + RetVal = TRUE; + } + +_Exit: + BN_free (KeyE); + return RetVal; +} + +/** + Validates key components of RSA context. + + This function validates key compoents of RSA context in following aspects: + - Whether p is a prime + - Whether q is a prime + - Whether n = p * q + - Whether d*e = 1 mod lcm(p-1,q-1) + + If RsaContext is NULL, then return FALSE. + + @param[in] RsaContext Pointer to RSA context to check. + + @retval TRUE RSA key components are valid. + @retval FALSE RSA key components are not valid. + +**/ +BOOLEAN +EFIAPI +RsaCheckKey ( + IN VOID *RsaContext + ) +{ + UINTN Reason; + + // + // Check input parameters. + // + if (RsaContext == NULL) { + return FALSE; + } + + if (RSA_check_key ((RSA *) RsaContext) != 1) { + Reason = ERR_GET_REASON (ERR_peek_last_error ()); + if (Reason == RSA_R_P_NOT_PRIME || + Reason == RSA_R_Q_NOT_PRIME || + Reason == RSA_R_N_DOES_NOT_EQUAL_P_Q || + Reason == RSA_R_D_E_NOT_CONGRUENT_TO_1) { + return FALSE; + } + } + + return TRUE; +} + +/** + Carries out the RSA-SSA signature generation with EMSA-PKCS1-v1_5 encoding scheme. + + This function carries out the RSA-SSA signature generation with EMSA-PKCS1-v1_5 encoding scheme defined in + RSA PKCS#1. + If the Signature buffer is too small to hold the contents of signature, FALSE + is returned and SigSize is set to the required buffer size to obtain the signature. + + If RsaContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If HashSize is not equal to the size of MD5, SHA-1 or SHA-256 digest, then return FALSE. + If SigSize is large enough but Signature is NULL, then return FALSE. + + @param[in] RsaContext Pointer to RSA context for signature generation. + @param[in] MessageHash Pointer to octet message hash to be signed. + @param[in] HashSize Size of the message hash in bytes. + @param[out] Signature Pointer to buffer to receive RSA PKCS1-v1_5 signature. + @param[in, out] SigSize On input, the size of Signature buffer in bytes. + On output, the size of data returned in Signature buffer in bytes. + + @retval TRUE Signature successfully generated in PKCS1-v1_5. + @retval FALSE Signature generation failed. + @retval FALSE SigSize is too small. + +**/ +BOOLEAN +EFIAPI +RsaPkcs1Sign ( + IN VOID *RsaContext, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ) +{ + RSA *Rsa; + UINTN Size; + INT32 DigestType; + + // + // Check input parameters. + // + if (RsaContext == NULL || MessageHash == NULL) { + return FALSE; + } + + Rsa = (RSA *) RsaContext; + Size = BN_num_bytes (Rsa->n); + + if (*SigSize < Size) { + *SigSize = Size; + return FALSE; + } + + if (Signature == NULL) { + return FALSE; + } + + // + // Determine the message digest algorithm according to digest size. + // Only MD5, SHA-1 or SHA-256 algorithm is supported. + // + switch (HashSize) { + case MD5_DIGEST_SIZE: + DigestType = NID_md5; + break; + + case SHA1_DIGEST_SIZE: + DigestType = NID_sha1; + break; + + case SHA256_DIGEST_SIZE: + DigestType = NID_sha256; + break; + + default: + return FALSE; + } + + return (BOOLEAN) RSA_sign ( + DigestType, + MessageHash, + (UINT32) HashSize, + Signature, + (UINT32 *) SigSize, + (RSA *) RsaContext + ); +} diff --git a/Cryptlib/Pk/CryptX509.c b/Cryptlib/Pk/CryptX509.c index a0c5a2a..5abe970 100644 --- a/Cryptlib/Pk/CryptX509.c +++ b/Cryptlib/Pk/CryptX509.c @@ -38,9 +38,7 @@ X509ConstructCertificate ( OUT UINT8 **SingleX509Cert ) { - BIO *CertBio; X509 *X509Cert; - BOOLEAN Status; // // Check input parameters. @@ -49,31 +47,17 @@ X509ConstructCertificate ( return FALSE; } - Status = FALSE; - // // Read DER-encoded X509 Certificate and Construct X509 object. // - CertBio = BIO_new (BIO_s_mem ()); - BIO_write (CertBio, Cert, (int) CertSize); - if (CertBio == NULL) { - goto _Exit; - } - X509Cert = d2i_X509_bio (CertBio, NULL); + X509Cert = d2i_X509 (NULL, &Cert, (long) CertSize); if (X509Cert == NULL) { - goto _Exit; + return FALSE; } *SingleX509Cert = (UINT8 *) X509Cert; - Status = TRUE; -_Exit: - // - // Release Resources. - // - BIO_free (CertBio); - - return Status; + return TRUE; } /** @@ -224,91 +208,6 @@ X509StackFree ( sk_X509_pop_free ((STACK_OF(X509) *) X509Stack, X509_free); } -/** - Pop single certificate from STACK_OF(X509). - - If X509Stack, Cert, or CertSize is NULL, then return FALSE. - - @param[in] X509Stack Pointer to a X509 stack object. - @param[out] Cert Pointer to a X509 certificate. - @param[out] CertSize Length of output X509 certificate in bytes. - - @retval TRUE The X509 stack pop succeeded. - @retval FALSE The pop operation failed. - -**/ -BOOLEAN -X509PopCertificate ( - IN VOID *X509Stack, - OUT UINT8 **Cert, - OUT UINTN *CertSize - ) -{ - BIO *CertBio; - X509 *X509Cert; - STACK_OF(X509) *CertStack; - BOOLEAN Status; - int Result; - int Length; - VOID *Buffer; - - Status = FALSE; - - if ((X509Stack == NULL) || (Cert == NULL) || (CertSize == NULL)) { - return Status; - } - - CertStack = (STACK_OF(X509) *) X509Stack; - - X509Cert = sk_X509_pop (CertStack); - - if (X509Cert == NULL) { - return Status; - } - - Buffer = NULL; - - CertBio = BIO_new (BIO_s_mem ()); - if (CertBio == NULL) { - return Status; - } - - Result = i2d_X509_bio (CertBio, X509Cert); - if (Result == 0) { - goto _Exit; - } - - Length = ((BUF_MEM *) CertBio->ptr)->length; - if (Length <= 0) { - goto _Exit; - } - - Buffer = malloc (Length); - if (Buffer == NULL) { - goto _Exit; - } - - Result = BIO_read (CertBio, Buffer, Length); - if (Result != Length) { - goto _Exit; - } - - *Cert = Buffer; - *CertSize = Length; - - Status = TRUE; - -_Exit: - - BIO_free (CertBio); - - if (!Status && (Buffer != NULL)) { - free (Buffer); - } - - return Status; -} - /** Retrieve the subject bytes from one X.509 certificate. @@ -346,7 +245,6 @@ X509GetSubjectName ( return FALSE; } - Status = FALSE; X509Cert = NULL; // @@ -354,20 +252,27 @@ X509GetSubjectName ( // Status = X509ConstructCertificate (Cert, CertSize, (UINT8 **) &X509Cert); if ((X509Cert == NULL) || (!Status)) { + Status = FALSE; goto _Exit; } + Status = FALSE; + // // Retrieve subject name from certificate object. // X509Name = X509_get_subject_name (X509Cert); + if (X509Name == NULL) { + goto _Exit; + } + if (*SubjectSize < (UINTN) X509Name->bytes->length) { *SubjectSize = (UINTN) X509Name->bytes->length; goto _Exit; } *SubjectSize = (UINTN) X509Name->bytes->length; if (CertSubject != NULL) { - CopyMem (CertSubject, (UINT8 *)X509Name->bytes->data, *SubjectSize); + CopyMem (CertSubject, (UINT8 *) X509Name->bytes->data, *SubjectSize); Status = TRUE; } @@ -375,7 +280,9 @@ _Exit: // // Release Resources. // - X509_free (X509Cert); + if (X509Cert != NULL) { + X509_free (X509Cert); + } return Status; } @@ -415,7 +322,6 @@ RsaGetPublicKeyFromX509 ( return FALSE; } - Status = FALSE; Pkey = NULL; X509Cert = NULL; @@ -424,9 +330,12 @@ RsaGetPublicKeyFromX509 ( // Status = X509ConstructCertificate (Cert, CertSize, (UINT8 **) &X509Cert); if ((X509Cert == NULL) || (!Status)) { + Status = FALSE; goto _Exit; } + Status = FALSE; + // // Retrieve and check EVP_PKEY data from X509 Certificate. // @@ -446,8 +355,13 @@ _Exit: // // Release Resources. // - X509_free (X509Cert); - EVP_PKEY_free (Pkey); + if (X509Cert != NULL) { + X509_free (X509Cert); + } + + if (Pkey != NULL) { + EVP_PKEY_free (Pkey); + } return Status; } @@ -498,15 +412,22 @@ X509VerifyCert ( // // Register & Initialize necessary digest algorithms for certificate verification. // - EVP_add_digest (EVP_md5()); - EVP_add_digest (EVP_sha1()); - EVP_add_digest (EVP_sha256()); + if (EVP_add_digest (EVP_md5 ()) == 0) { + goto _Exit; + } + if (EVP_add_digest (EVP_sha1 ()) == 0) { + goto _Exit; + } + if (EVP_add_digest (EVP_sha256 ()) == 0) { + goto _Exit; + } // // Read DER-encoded certificate to be verified and Construct X509 object. // Status = X509ConstructCertificate (Cert, CertSize, (UINT8 **) &X509Cert); if ((X509Cert == NULL) || (!Status)) { + Status = FALSE; goto _Exit; } @@ -515,9 +436,12 @@ X509VerifyCert ( // Status = X509ConstructCertificate (CACert, CACertSize, (UINT8 **) &X509CACert); if ((X509CACert == NULL) || (!Status)) { + Status = FALSE; goto _Exit; } + Status = FALSE; + // // Set up X509 Store for trusted certificate. // @@ -546,9 +470,17 @@ _Exit: // // Release Resources. // - X509_free (X509Cert); - X509_free (X509CACert); - X509_STORE_free (CertStore); + if (X509Cert != NULL) { + X509_free (X509Cert); + } + if (X509CACert != NULL) { + X509_free (X509CACert); + } + + if (CertStore != NULL) { + X509_STORE_free (CertStore); + } + return Status; } diff --git a/Cryptlib/Rand/CryptRand.c b/Cryptlib/Rand/CryptRand.c index a61c0c2..dc3ab99 100644 --- a/Cryptlib/Rand/CryptRand.c +++ b/Cryptlib/Rand/CryptRand.c @@ -43,6 +43,10 @@ RandomSeed ( IN UINTN SeedSize ) { + if (SeedSize > INT_MAX) { + return FALSE; + } + // // Seed the pseudorandom number generator with user-supplied value. // NOTE: A cryptographic PRNG must be seeded with unpredictable data. @@ -82,7 +86,7 @@ RandomBytes ( // // Check input parameters. // - if (Output == NULL) { + if (Output == NULL || Size > INT_MAX) { return FALSE; } diff --git a/Cryptlib/SysCall/BaseMemAllocation.c b/Cryptlib/SysCall/BaseMemAllocation.c index 1abe78e..75da1dd 100644 --- a/Cryptlib/SysCall/BaseMemAllocation.c +++ b/Cryptlib/SysCall/BaseMemAllocation.c @@ -2,7 +2,7 @@ Base Memory Allocation Routines Wrapper for Crypto library over OpenSSL during PEI & DXE phases. -Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.
+Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -22,7 +22,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. /* Allocates memory blocks */ void *malloc (size_t size) { - return AllocatePool ((UINTN)size); + return AllocatePool ((UINTN) size); } /* Reallocate memory blocks */ @@ -32,7 +32,7 @@ void *realloc (void *ptr, size_t size) // BUG: hardcode OldSize == size! We have no any knowledge about // memory size of original pointer ptr. // - return ReallocatePool (ptr, (UINTN)size, (UINTN)size); + return ReallocatePool (ptr, (UINTN) size, (UINTN) size); } /* De-allocates or frees a memory block */ diff --git a/Cryptlib/SysCall/CrtWrapper.c b/Cryptlib/SysCall/CrtWrapper.c index 5a8322d..fb446b6 100644 --- a/Cryptlib/SysCall/CrtWrapper.c +++ b/Cryptlib/SysCall/CrtWrapper.c @@ -293,6 +293,16 @@ size_t fwrite (const void *buffer, size_t size, size_t count, FILE *stream) // -- Dummy OpenSSL Support Routines -- // +int BIO_printf (void *bio, const char *format, ...) +{ + return 0; +} + +int BIO_snprintf(char *buf, size_t n, const char *format, ...) +{ + return 0; +} + void *UI_OpenSSL(void) { return NULL; From 06caaf44f484812e2757bc9ee15979b5daad827d Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 4 Oct 2013 11:51:09 -0400 Subject: [PATCH 074/163] Reapply patches lost in the update --- Cryptlib/Cryptlib.diff | 21 +++++++++++++++++++++ Cryptlib/SysCall/CrtWrapper.c | 10 ---------- 2 files changed, 21 insertions(+), 10 deletions(-) diff --git a/Cryptlib/Cryptlib.diff b/Cryptlib/Cryptlib.diff index d30743f..9663d90 100644 --- a/Cryptlib/Cryptlib.diff +++ b/Cryptlib/Cryptlib.diff @@ -34,3 +34,24 @@ index 805e6b4..bb7bcba 100644 // // Years Handling +diff --git a/Cryptlib/SysCall/CrtWrapper.c b/Cryptlib/SysCall/CrtWrapper.c +index fb446b6..5a8322d 100644 +--- a/Cryptlib/SysCall/CrtWrapper.c ++++ b/Cryptlib/SysCall/CrtWrapper.c +@@ -293,16 +293,6 @@ size_t fwrite (const void *buffer, size_t size, size_t count, FILE *stream) + // -- Dummy OpenSSL Support Routines -- + // + +-int BIO_printf (void *bio, const char *format, ...) +-{ +- return 0; +-} +- +-int BIO_snprintf(char *buf, size_t n, const char *format, ...) +-{ +- return 0; +-} +- + void *UI_OpenSSL(void) + { + return NULL; diff --git a/Cryptlib/SysCall/CrtWrapper.c b/Cryptlib/SysCall/CrtWrapper.c index fb446b6..5a8322d 100644 --- a/Cryptlib/SysCall/CrtWrapper.c +++ b/Cryptlib/SysCall/CrtWrapper.c @@ -293,16 +293,6 @@ size_t fwrite (const void *buffer, size_t size, size_t count, FILE *stream) // -- Dummy OpenSSL Support Routines -- // -int BIO_printf (void *bio, const char *format, ...) -{ - return 0; -} - -int BIO_snprintf(char *buf, size_t n, const char *format, ...) -{ - return 0; -} - void *UI_OpenSSL(void) { return NULL; From 7de74e673435362b35f7fb8fba31cfc75e166363 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Fri, 4 Oct 2013 11:51:09 -0400 Subject: [PATCH 075/163] Do more strict checking on PE Headers. Signed-off-by: Peter Jones --- shim.c | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/shim.c b/shim.c index ebd7f0d..51dfc26 100644 --- a/shim.c +++ b/shim.c @@ -779,6 +779,7 @@ static EFI_STATUS read_header(void *data, unsigned int datasize, { EFI_IMAGE_DOS_HEADER *DosHdr = data; EFI_IMAGE_OPTIONAL_HEADER_UNION *PEHdr = data; + unsigned long HeaderWithoutDataDir, SectionHeaderOffset; if (datasize < sizeof(EFI_IMAGE_DOS_HEADER)) { Print(L"Invalid image\n"); @@ -788,6 +789,37 @@ static EFI_STATUS read_header(void *data, unsigned int datasize, if (DosHdr->e_magic == EFI_IMAGE_DOS_SIGNATURE) PEHdr = (EFI_IMAGE_OPTIONAL_HEADER_UNION *)((char *)data + DosHdr->e_lfanew); + if (EFI_IMAGE_NUMBER_OF_DIRECTORY_ENTRIES + < PEHdr->Pe32Plus.OptionalHeader.NumberOfRvaAndSizes) { + Print(L"Image header too small\n"); + return EFI_UNSUPPORTED; + } + + HeaderWithoutDataDir = sizeof (EFI_IMAGE_OPTIONAL_HEADER64) + - sizeof (EFI_IMAGE_DATA_DIRECTORY) * EFI_IMAGE_NUMBER_OF_DIRECTORY_ENTRIES; + if (((UINT32)PEHdr->Pe32Plus.FileHeader.SizeOfOptionalHeader - HeaderWithoutDataDir) != + PEHdr->Pe32Plus.OptionalHeader.NumberOfRvaAndSizes + * sizeof (EFI_IMAGE_DATA_DIRECTORY)) { + Print(L"Image header overflows data directory\n"); + return EFI_UNSUPPORTED; + } + + SectionHeaderOffset = DosHdr->e_lfanew + + sizeof (UINT32) + + sizeof (EFI_IMAGE_FILE_HEADER) + + PEHdr->Pe32Plus.FileHeader.SizeOfOptionalHeader; + if ((PEHdr->Pe32Plus.OptionalHeader.SizeOfImage - SectionHeaderOffset) / EFI_IMAGE_SIZEOF_SECTION_HEADER + <= PEHdr->Pe32Plus.FileHeader.NumberOfSections) { + Print(L"Image sections overflow image size\n"); + return EFI_UNSUPPORTED; + } + + if ((PEHdr->Pe32Plus.OptionalHeader.SizeOfHeaders - SectionHeaderOffset) / EFI_IMAGE_SIZEOF_SECTION_HEADER + < (UINT32)PEHdr->Pe32Plus.FileHeader.NumberOfSections) { + Print(L"Image sections overflow section headers\n"); + return EFI_UNSUPPORTED; + } + if ((((UINT8 *)PEHdr - (UINT8 *)data) + sizeof(EFI_IMAGE_OPTIONAL_HEADER_UNION)) > datasize) { Print(L"Invalid image\n"); return EFI_UNSUPPORTED; @@ -897,6 +929,12 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, return EFI_UNSUPPORTED; } + if (Section->VirtualAddress < context.SizeOfHeaders || + Section->PointerToRawData < context.SizeOfHeaders) { + Print(L"Section is inside image headers\n"); + return EFI_UNSUPPORTED; + } + if (Section->SizeOfRawData > 0) CopyMem(base, data + Section->PointerToRawData, size); From 4ab978a3697c88827f4099fe5774031caf5baf44 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Fri, 4 Oct 2013 11:51:09 -0400 Subject: [PATCH 076/163] Try to actually make debug printing look reasonable. Signed-off-by: Peter Jones --- include/console.h | 22 ++++++++++++++++++++-- lib/console.c | 33 +++++++++++++++++++-------------- shim.c | 32 ++++++++------------------------ 3 files changed, 47 insertions(+), 40 deletions(-) diff --git a/include/console.h b/include/console.h index fbeb7e6..e6c2818 100644 --- a/include/console.h +++ b/include/console.h @@ -20,8 +20,6 @@ console_alertbox(CHAR16 **title); void console_notify(CHAR16 *string); void -console_notify_ascii(CHAR8 *string); -void console_reset(void); #define NOSEL 0x7fffffff @@ -66,5 +64,25 @@ struct _EFI_CONSOLE_CONTROL_PROTOCOL { }; extern VOID setup_console (int text); +extern VOID setup_verbosity(VOID); +extern UINT8 verbose; +#define dprint(fmt, ...) ({ \ + UINTN __dprint_ret = 0; \ + if (verbose) \ + __dprint_ret = Print((fmt), ##__VA_ARGS__); \ + __dprint_ret; \ + }) +#define dprinta(fmt, ...) ({ \ + UINTN __dprinta_ret = 0; \ + if (verbose) { \ + UINTN __dprinta_i; \ + CHAR16 *__dprinta_str = AllocateZeroPool((strlena(fmt) + 1) * 2); \ + for (__dprinta_i = 0; fmt[__dprinta_i] != '\0'; __dprinta_i++) \ + __dprinta_str[__dprinta_i] = fmt[__dprinta_i]; \ + __dprinta_ret = Print((__dprinta_str), ##__VA_ARGS__); \ + FreePool(__dprinta_str); \ + } \ + __dprinta_ret; \ + }) #endif /* _SHIM_LIB_CONSOLE_H */ diff --git a/lib/console.c b/lib/console.c index 44b08f2..1f8f59c 100644 --- a/lib/console.c +++ b/lib/console.c @@ -8,6 +8,7 @@ #include #include +#include #include static int min(int a, int b) @@ -312,20 +313,6 @@ console_notify(CHAR16 *string) console_alertbox(str_arr); } -void -console_notify_ascii(CHAR8 *string) -{ - CHAR16 *str = AllocateZeroPool((strlena(string) + 1) * 2); - int i, j; - - if (!str) - return; - - for (i = 0, j = 1; string[i] != '\0'; i++, j+=2) - str[j] = string[i]; - console_notify(str); -} - #define ARRAY_SIZE(a) (sizeof (a) / sizeof ((a)[0])) /* Copy of gnu-efi-3.0 with the added secure boot strings */ @@ -416,6 +403,24 @@ console_reset(void) uefi_call_wrapper(co->ClearScreen, 1, co); } +UINT8 verbose; + +VOID +setup_verbosity(VOID) +{ + EFI_STATUS status; + EFI_GUID global_var = EFI_GLOBAL_VARIABLE; + UINT8 verbose_check; + UINTN verbose_check_size; + + verbose_check_size = 1; + status = get_variable(L"SHIM_VERBOSE", (void *)&verbose_check, + &verbose_check_size, global_var); + verbose = 0; + if (!EFI_ERROR(status)) + verbose = verbose_check; +} + VOID setup_console (int text) { EFI_STATUS status; diff --git a/shim.c b/shim.c index 51dfc26..502a91d 100644 --- a/shim.c +++ b/shim.c @@ -59,7 +59,6 @@ static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TAB static CHAR16 *second_stage; static void *load_options; static UINT32 load_options_size; -static UINT8 verbose; EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }; @@ -731,12 +730,8 @@ static EFI_STATUS verify_buffer (char *data, int datasize, * databases */ status = check_whitelist(cert, sha256hash, sha1hash); - - if (status == EFI_SUCCESS) { - if (verbose) - console_notify(L"Binary is whitelisted\n"); + if (status == EFI_SUCCESS) return status; - } /* * Check against the shim build key @@ -746,8 +741,6 @@ static EFI_STATUS verify_buffer (char *data, int datasize, shim_cert, sizeof(shim_cert), sha256hash, SHA256_DIGEST_SIZE)) { status = EFI_SUCCESS; - if (verbose) - console_notify(L"Binary is verified by the vendor certificate\n"); return status; } @@ -760,12 +753,9 @@ static EFI_STATUS verify_buffer (char *data, int datasize, vendor_cert, vendor_cert_size, sha256hash, SHA256_DIGEST_SIZE)) { status = EFI_SUCCESS; - if (verbose) - console_notify(L"Binary is verified by the vendor certificate\n"); return status; } - Print(L"Invalid signature\n"); status = EFI_ACCESS_DENIED; return status; @@ -896,9 +886,12 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, if (secure_mode ()) { efi_status = verify_buffer(data, datasize, &context); - if (efi_status != EFI_SUCCESS) { - Print(L"Verification failed\n"); + if (EFI_ERROR(efi_status)) { + console_error(L"Verification failed", efi_status); return efi_status; + } else { + if (verbose) + console_notify(L"Verification succeeded"); } } @@ -1681,9 +1674,6 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) static SHIM_LOCK shim_lock_interface; EFI_HANDLE handle = NULL; EFI_STATUS efi_status; - UINT8 verbose_check; - UINTN verbose_check_size; - EFI_GUID global_var = EFI_GLOBAL_VARIABLE; verification_method = VERIFIED_BY_NOTHING; @@ -1708,15 +1698,9 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) InitializeLib(image_handle, systab); setup_console(1); + setup_verbosity(); - verbose_check_size = 1; - efi_status = get_variable(L"SHIM_VERBOSE", (void *)&verbose_check, - &verbose_check_size, global_var); - if (!EFI_ERROR(efi_status)) - verbose = verbose_check; - - if (verbose) - console_notify_ascii(shim_version); + dprinta(shim_version); /* Set the second stage loader */ set_second_stage (image_handle); From 29d9c7c32799b3f9d95c8c971af827a049931801 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Fri, 4 Oct 2013 13:54:35 -0400 Subject: [PATCH 077/163] Put SHIM_VERBOSE under shim's guid, not global. Signed-off-by: Peter Jones --- lib/console.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/console.c b/lib/console.c index 1f8f59c..2fc8db3 100644 --- a/lib/console.c +++ b/lib/console.c @@ -11,6 +11,8 @@ #include #include +static EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }; + static int min(int a, int b) { if (a < b) @@ -409,13 +411,13 @@ VOID setup_verbosity(VOID) { EFI_STATUS status; - EFI_GUID global_var = EFI_GLOBAL_VARIABLE; + EFI_GUID guid = SHIM_LOCK_GUID; UINT8 verbose_check; UINTN verbose_check_size; verbose_check_size = 1; status = get_variable(L"SHIM_VERBOSE", (void *)&verbose_check, - &verbose_check_size, global_var); + &verbose_check_size, guid); verbose = 0; if (!EFI_ERROR(status)) verbose = verbose_check; From 98a9957866b31d0ca457961932a9f997068f3ab3 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Fri, 4 Oct 2013 15:31:48 -0400 Subject: [PATCH 078/163] Unhook system services as we exit. If we never find a valid thing to boot, we need to undo the weird things we've done. Signed-off-by: Peter Jones --- replacements.c | 2 +- replacements.h | 1 + shim.c | 18 ++++++++++++------ 3 files changed, 14 insertions(+), 7 deletions(-) diff --git a/replacements.c b/replacements.c index b05b220..bac5e5d 100644 --- a/replacements.c +++ b/replacements.c @@ -66,7 +66,7 @@ static typeof(systab->BootServices->ExitBootServices) system_exit_boot_services; extern UINT8 insecure_mode; -static void +void unhook_system_services(void) { if (insecure_mode) diff --git a/replacements.h b/replacements.h index 806c038..5b57bc2 100644 --- a/replacements.h +++ b/replacements.h @@ -39,5 +39,6 @@ extern verification_method_t verification_method; extern int loader_is_participating; extern void hook_system_services(EFI_SYSTEM_TABLE *local_systab); +extern void unhook_system_services(void); #endif /* SHIM_REPLACEMENTS_H */ diff --git a/shim.c b/shim.c index 502a91d..c8759a5 100644 --- a/shim.c +++ b/shim.c @@ -1767,12 +1767,6 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) efi_status = init_grub(image_handle); - /* - * If we're back here then clean everything up before exiting - */ - uefi_call_wrapper(BS->UninstallProtocolInterface, 3, handle, - &shim_lock_guid, &shim_lock_interface); - #if defined(OVERRIDE_SECURITY_POLICY) /* * Clean up the security protocol hook @@ -1780,6 +1774,18 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) security_policy_uninstall(); #endif + /* + * If we're back here then clean everything up before exiting + */ + uefi_call_wrapper(BS->UninstallProtocolInterface, 3, handle, + &shim_lock_guid, &shim_lock_interface); + + + /* + * Remove our hooks from system services. + */ + unhook_system_services(); + /* * Free the space allocated for the alternative 2nd stage loader */ From ee4deae045c984e265a30c42e85a267e14e84680 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Fri, 4 Oct 2013 17:04:21 -0400 Subject: [PATCH 079/163] Bump version to 0.5 Signed-off-by: Peter Jones --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 4a8b553..0fce466 100644 --- a/Makefile +++ b/Makefile @@ -37,7 +37,7 @@ endif LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) -VERSION = 0.4 +VERSION = 0.5 TARGET = shim.efi MokManager.efi.signed fallback.efi.signed OBJS = shim.o netboot.o cert.o replacements.o version.o From a0df78b73f922bde50e753d46e9276777bf883ac Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Tue, 22 Oct 2013 11:23:51 -0400 Subject: [PATCH 080/163] additional bounds-checking on section sizes This adds additional bounds-checking on the section sizes. Also adds -Wsign-compare to the Makefile and replaces some signed variables with unsigned counteparts for robustness. Signed-off-by: Kees Cook --- Makefile | 3 +- MokManager.c | 6 ++-- PasswordCrypt.c | 4 +-- shim.c | 84 ++++++++++++++++++++++++++++++++++--------------- 4 files changed, 65 insertions(+), 32 deletions(-) diff --git a/Makefile b/Makefile index 0fce466..af7642b 100644 --- a/Makefile +++ b/Makefile @@ -16,7 +16,8 @@ EFI_LDS = elf_$(ARCH)_efi.lds DEFAULT_LOADER := \\\\grub.efi CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ - -fshort-wchar -Wall -Werror -mno-red-zone -maccumulate-outgoing-args \ + -fshort-wchar -Wall -Wsign-compare -Werror \ + -mno-red-zone -maccumulate-outgoing-args \ -mno-mmx -mno-sse -fno-builtin \ "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \ diff --git a/MokManager.c b/MokManager.c index f5ed379..3da61f4 100644 --- a/MokManager.c +++ b/MokManager.c @@ -440,7 +440,7 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title) MokListNode *keys = NULL; INTN key_num = 0; CHAR16 **menu_strings; - int i; + unsigned int i; if (KeyListSize < (sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA))) { @@ -491,7 +491,7 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title) static UINT8 get_line (UINT32 *length, CHAR16 *line, UINT32 line_max, UINT8 show) { EFI_INPUT_KEY key; - int count = 0; + unsigned int count = 0; do { key = console_get_keystroke(); @@ -640,7 +640,7 @@ static EFI_STATUS match_password (PASSWORD_CRYPT *pw_crypt, CHAR16 password[PASSWORD_MAX]; UINT32 pw_length; UINT8 fail_count = 0; - int i; + unsigned int i; if (pw_crypt) { auth_hash = pw_crypt->hash; diff --git a/PasswordCrypt.c b/PasswordCrypt.c index 8d72a82..e0a82cf 100644 --- a/PasswordCrypt.c +++ b/PasswordCrypt.c @@ -154,7 +154,7 @@ static EFI_STATUS sha256_crypt (const char *key, UINT32 key_len, CopyMem(cp, tmp_result, cnt); SHA256_Init(&alt_ctx); - for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt) + for (cnt = 0; cnt < 16ul + alt_result[0]; ++cnt) SHA256_Update(&alt_ctx, salt, salt_size); SHA256_Final(tmp_result, &alt_ctx); @@ -242,7 +242,7 @@ static EFI_STATUS sha512_crypt (const char *key, UINT32 key_len, CopyMem(cp, tmp_result, cnt); SHA512_Init(&alt_ctx); - for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt) + for (cnt = 0; cnt < 16ul + alt_result[0]; ++cnt) SHA512_Update(&alt_ctx, salt, salt_size); SHA512_Final(tmp_result, &alt_ctx); diff --git a/shim.c b/shim.c index c8759a5..58136db 100644 --- a/shim.c +++ b/shim.c @@ -102,7 +102,7 @@ typedef struct { /* * Perform basic bounds checking of the intra-image pointers */ -static void *ImageAddress (void *image, int size, unsigned int address) +static void *ImageAddress (void *image, unsigned int size, unsigned int address) { if (address > size) return NULL; @@ -480,18 +480,19 @@ static BOOLEAN secure_mode (void) * Calculate the SHA1 and SHA256 hashes of a binary */ -static EFI_STATUS generate_hash (char *data, int datasize, +static EFI_STATUS generate_hash (char *data, int datasize_in, PE_COFF_LOADER_IMAGE_CONTEXT *context, UINT8 *sha256hash, UINT8 *sha1hash) { unsigned int sha256ctxsize, sha1ctxsize; - unsigned int size = datasize; + unsigned int size; void *sha256ctx = NULL, *sha1ctx = NULL; char *hashbase; unsigned int hashsize; unsigned int SumOfBytesHashed, SumOfSectionBytes; unsigned int index, pos; + unsigned int datasize; EFI_IMAGE_SECTION_HEADER *Section; EFI_IMAGE_SECTION_HEADER *SectionHeader = NULL; EFI_IMAGE_SECTION_HEADER *SectionCache; @@ -503,6 +504,12 @@ static EFI_STATUS generate_hash (char *data, int datasize, sha1ctxsize = Sha1GetContextSize(); sha1ctx = AllocatePool(sha1ctxsize); + if (datasize_in < 0) { + Print(L"Invalid data size\n"); + return EFI_INVALID_PARAMETER; + } + size = datasize = (unsigned int)datasize_in; + if (!sha256ctx || !sha1ctx) { Print(L"Unable to allocate memory for hash context\n"); return EFI_OUT_OF_RESOURCES; @@ -553,22 +560,29 @@ static EFI_STATUS generate_hash (char *data, int datasize, /* Sort sections */ SumOfBytesHashed = context->PEHdr->Pe32Plus.OptionalHeader.SizeOfHeaders; - Section = (EFI_IMAGE_SECTION_HEADER *) ( - (char *)context->PEHdr + sizeof (UINT32) + - sizeof (EFI_IMAGE_FILE_HEADER) + - context->PEHdr->Pe32.FileHeader.SizeOfOptionalHeader - ); - - SectionCache = Section; - + /* Validate section locations and sizes */ for (index = 0, SumOfSectionBytes = 0; index < context->PEHdr->Pe32.FileHeader.NumberOfSections; index++, SectionCache++) { - SumOfSectionBytes += SectionCache->SizeOfRawData; - } + EFI_IMAGE_SECTION_HEADER *SectionPtr; - if (SumOfSectionBytes >= datasize) { - Print(L"Malformed binary: %x %x\n", SumOfSectionBytes, size); - status = EFI_INVALID_PARAMETER; - goto done; + /* Validate SectionPtr is within image */ + SectionPtr = ImageAddress(data, datasize, + sizeof (UINT32) + + sizeof (EFI_IMAGE_FILE_HEADER) + + context->PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + + (index * sizeof(*SectionPtr))); + if (!SectionPtr) { + Print(L"Malformed section %d\n", index); + status = EFI_INVALID_PARAMETER; + goto done; + } + /* Validate section size is within image. */ + if (SectionPtr->SizeOfRawData > + datasize - SumOfBytesHashed - SumOfSectionBytes) { + Print(L"Malformed section %d size\n", index); + status = EFI_INVALID_PARAMETER; + goto done; + } + SumOfSectionBytes += SectionPtr->SizeOfRawData; } SectionHeader = (EFI_IMAGE_SECTION_HEADER *) AllocateZeroPool (sizeof (EFI_IMAGE_SECTION_HEADER) * context->PEHdr->Pe32.FileHeader.NumberOfSections); @@ -578,6 +592,11 @@ static EFI_STATUS generate_hash (char *data, int datasize, goto done; } + /* Already validated above */ + Section = ImageAddress(data, datasize, sizeof (UINT32) + + sizeof (EFI_IMAGE_FILE_HEADER) + + context->PEHdr->Pe32.FileHeader.SizeOfOptionalHeader); + /* Sort the section headers */ for (index = 0; index < context->PEHdr->Pe32.FileHeader.NumberOfSections; index++) { pos = index; @@ -595,8 +614,8 @@ static EFI_STATUS generate_hash (char *data, int datasize, if (Section->SizeOfRawData == 0) { continue; } - hashbase = ImageAddress(data, size, Section->PointerToRawData); - hashsize = (unsigned int) Section->SizeOfRawData; + hashbase = ImageAddress(data, size, + Section->PointerToRawData); if (!hashbase) { Print(L"Malformed section header\n"); @@ -604,6 +623,15 @@ static EFI_STATUS generate_hash (char *data, int datasize, goto done; } + /* Verify hashsize within image. */ + if (Section->SizeOfRawData > + datasize - Section->PointerToRawData) { + Print(L"Malformed section raw size %d\n", index); + status = EFI_INVALID_PARAMETER; + goto done; + } + hashsize = (unsigned int) Section->SizeOfRawData; + if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || !(Sha1Update(sha1ctx, hashbase, hashsize))) { Print(L"Unable to generate hash\n"); @@ -614,10 +642,10 @@ static EFI_STATUS generate_hash (char *data, int datasize, } /* Hash all remaining data */ - if (size > SumOfBytesHashed) { + if (datasize > SumOfBytesHashed) { hashbase = data + SumOfBytesHashed; hashsize = (unsigned int)( - size - + datasize - context->PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY].Size - SumOfBytesHashed); @@ -846,7 +874,8 @@ static EFI_STATUS read_header(void *data, unsigned int datasize, return EFI_UNSUPPORTED; } - if (((UINT8 *)context->SecDir - (UINT8 *)data) > (datasize - sizeof(EFI_IMAGE_DATA_DIRECTORY))) { + if ((unsigned long)((UINT8 *)context->SecDir - (UINT8 *)data) > + (datasize - sizeof(EFI_IMAGE_DATA_DIRECTORY))) { Print(L"Invalid image\n"); return EFI_UNSUPPORTED; } @@ -866,7 +895,8 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, { EFI_STATUS efi_status; char *buffer; - int i, size; + int i; + unsigned int size; EFI_IMAGE_SECTION_HEADER *Section; char *base, *end; PE_COFF_LOADER_IMAGE_CONTEXT context; @@ -1043,7 +1073,8 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath, { EFI_DEVICE_PATH *devpath; EFI_HANDLE device; - int i, j, last = -1; + unsigned int i; + int j, last = -1; unsigned int pathlen = 0; EFI_STATUS efi_status = EFI_SUCCESS; CHAR16 *bootpath; @@ -1598,9 +1629,10 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) EFI_STATUS status; EFI_LOADED_IMAGE *li; CHAR16 *start = NULL, *c; - int i, remaining_size = 0; + unsigned int i; + int remaining_size = 0; CHAR16 *loader_str = NULL; - int loader_len = 0; + unsigned int loader_len = 0; second_stage = DEFAULT_LOADER; load_options = NULL; From 8044a321f94e0196dbc1ff7764944f5710438e29 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 22 Oct 2013 13:40:08 -0400 Subject: [PATCH 081/163] Don't reject all binaries without a certificate database. If a binary isn't signed, but its hash is enrolled in db, it won't have a certificate database. So in those cases, don't check it against certificate databases in db/dbx/etc, but we don't need to reject it outright. Signed-off-by: Peter Jones --- shim.c | 70 +++++++++++++++++++++++++++++++--------------------------- 1 file changed, 37 insertions(+), 33 deletions(-) diff --git a/shim.c b/shim.c index 58136db..3d1febb 100644 --- a/shim.c +++ b/shim.c @@ -371,8 +371,8 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert, SHA1_DIGEST_SIZE, EFI_CERT_SHA1_GUID) == DATA_FOUND) return EFI_ACCESS_DENIED; - if (check_db_cert_in_ram(dbx, vendor_dbx_size, cert, - sha256hash) == DATA_FOUND) + if (cert && check_db_cert_in_ram(dbx, vendor_dbx_size, cert, + sha256hash) == DATA_FOUND) return EFI_ACCESS_DENIED; if (check_db_hash(L"dbx", secure_var, sha256hash, SHA256_DIGEST_SIZE, @@ -381,7 +381,8 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert, if (check_db_hash(L"dbx", secure_var, sha1hash, SHA1_DIGEST_SIZE, EFI_CERT_SHA1_GUID) == DATA_FOUND) return EFI_ACCESS_DENIED; - if (check_db_cert(L"dbx", secure_var, cert, sha256hash) == DATA_FOUND) + if (cert && check_db_cert(L"dbx", secure_var, cert, sha256hash) == + DATA_FOUND) return EFI_ACCESS_DENIED; return EFI_SUCCESS; @@ -414,7 +415,8 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert, update_verification_method(VERIFIED_BY_HASH); return EFI_SUCCESS; } - if (check_db_cert(L"db", secure_var, cert, sha256hash) == DATA_FOUND) { + if (cert && check_db_cert(L"db", secure_var, cert, sha256hash) + == DATA_FOUND) { verification_method = VERIFIED_BY_CERT; update_verification_method(VERIFIED_BY_CERT); return EFI_SUCCESS; @@ -427,7 +429,8 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert, update_verification_method(VERIFIED_BY_HASH); return EFI_SUCCESS; } - if (check_db_cert(L"MokList", shim_var, cert, sha256hash) == DATA_FOUND) { + if (cert && check_db_cert(L"MokList", shim_var, cert, sha256hash) == + DATA_FOUND) { verification_method = VERIFIED_BY_CERT; update_verification_method(VERIFIED_BY_CERT); return EFI_SUCCESS; @@ -712,25 +715,24 @@ static EFI_STATUS verify_buffer (char *data, int datasize, UINT8 sha256hash[SHA256_DIGEST_SIZE]; UINT8 sha1hash[SHA1_DIGEST_SIZE]; EFI_STATUS status = EFI_ACCESS_DENIED; - WIN_CERTIFICATE_EFI_PKCS *cert; + WIN_CERTIFICATE_EFI_PKCS *cert = NULL; unsigned int size = datasize; - if (context->SecDir->Size == 0) { - Print(L"Empty security header\n"); - return EFI_INVALID_PARAMETER; - } + if (context->SecDir->Size != 0) { + cert = ImageAddress (data, size, + context->SecDir->VirtualAddress); - cert = ImageAddress (data, size, context->SecDir->VirtualAddress); + if (!cert) { + Print(L"Certificate located outside the image\n"); + return EFI_INVALID_PARAMETER; + } - if (!cert) { - Print(L"Certificate located outside the image\n"); - return EFI_INVALID_PARAMETER; - } - - if (cert->Hdr.wCertificateType != WIN_CERT_TYPE_PKCS_SIGNED_DATA) { - Print(L"Unsupported certificate type %x\n", - cert->Hdr.wCertificateType); - return EFI_UNSUPPORTED; + if (cert->Hdr.wCertificateType != + WIN_CERT_TYPE_PKCS_SIGNED_DATA) { + Print(L"Unsupported certificate type %x\n", + cert->Hdr.wCertificateType); + return EFI_UNSUPPORTED; + } } status = generate_hash(data, datasize, context, sha256hash, sha1hash); @@ -761,27 +763,29 @@ static EFI_STATUS verify_buffer (char *data, int datasize, if (status == EFI_SUCCESS) return status; - /* - * Check against the shim build key - */ - if (AuthenticodeVerify(cert->CertData, + if (cert) { + /* + * Check against the shim build key + */ + if (AuthenticodeVerify(cert->CertData, context->SecDir->Size - sizeof(cert->Hdr), shim_cert, sizeof(shim_cert), sha256hash, SHA256_DIGEST_SIZE)) { - status = EFI_SUCCESS; - return status; - } + status = EFI_SUCCESS; + return status; + } - /* - * And finally, check against shim's built-in key - */ - if (AuthenticodeVerify(cert->CertData, + /* + * And finally, check against shim's built-in key + */ + if (AuthenticodeVerify(cert->CertData, context->SecDir->Size - sizeof(cert->Hdr), vendor_cert, vendor_cert_size, sha256hash, SHA256_DIGEST_SIZE)) { - status = EFI_SUCCESS; - return status; + status = EFI_SUCCESS; + return status; + } } status = EFI_ACCESS_DENIED; From cf718e194040b4fb0937d5b926545367118b6041 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 23 Oct 2013 10:50:36 -0400 Subject: [PATCH 082/163] Revert "additional bounds-checking on section sizes" This reverts commit 21e40f0174814b3d91836e38c7cf95c8f2f1f3a4. In principle I like the idea of what's going on here, but generate_hash() really does need to have the expected result. --- Makefile | 3 +- MokManager.c | 6 ++-- PasswordCrypt.c | 4 +-- shim.c | 86 ++++++++++++++++--------------------------------- 4 files changed, 33 insertions(+), 66 deletions(-) diff --git a/Makefile b/Makefile index af7642b..0fce466 100644 --- a/Makefile +++ b/Makefile @@ -16,8 +16,7 @@ EFI_LDS = elf_$(ARCH)_efi.lds DEFAULT_LOADER := \\\\grub.efi CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ - -fshort-wchar -Wall -Wsign-compare -Werror \ - -mno-red-zone -maccumulate-outgoing-args \ + -fshort-wchar -Wall -Werror -mno-red-zone -maccumulate-outgoing-args \ -mno-mmx -mno-sse -fno-builtin \ "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \ diff --git a/MokManager.c b/MokManager.c index 3da61f4..f5ed379 100644 --- a/MokManager.c +++ b/MokManager.c @@ -440,7 +440,7 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title) MokListNode *keys = NULL; INTN key_num = 0; CHAR16 **menu_strings; - unsigned int i; + int i; if (KeyListSize < (sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA))) { @@ -491,7 +491,7 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title) static UINT8 get_line (UINT32 *length, CHAR16 *line, UINT32 line_max, UINT8 show) { EFI_INPUT_KEY key; - unsigned int count = 0; + int count = 0; do { key = console_get_keystroke(); @@ -640,7 +640,7 @@ static EFI_STATUS match_password (PASSWORD_CRYPT *pw_crypt, CHAR16 password[PASSWORD_MAX]; UINT32 pw_length; UINT8 fail_count = 0; - unsigned int i; + int i; if (pw_crypt) { auth_hash = pw_crypt->hash; diff --git a/PasswordCrypt.c b/PasswordCrypt.c index e0a82cf..8d72a82 100644 --- a/PasswordCrypt.c +++ b/PasswordCrypt.c @@ -154,7 +154,7 @@ static EFI_STATUS sha256_crypt (const char *key, UINT32 key_len, CopyMem(cp, tmp_result, cnt); SHA256_Init(&alt_ctx); - for (cnt = 0; cnt < 16ul + alt_result[0]; ++cnt) + for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt) SHA256_Update(&alt_ctx, salt, salt_size); SHA256_Final(tmp_result, &alt_ctx); @@ -242,7 +242,7 @@ static EFI_STATUS sha512_crypt (const char *key, UINT32 key_len, CopyMem(cp, tmp_result, cnt); SHA512_Init(&alt_ctx); - for (cnt = 0; cnt < 16ul + alt_result[0]; ++cnt) + for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt) SHA512_Update(&alt_ctx, salt, salt_size); SHA512_Final(tmp_result, &alt_ctx); diff --git a/shim.c b/shim.c index 3d1febb..537177d 100644 --- a/shim.c +++ b/shim.c @@ -102,7 +102,7 @@ typedef struct { /* * Perform basic bounds checking of the intra-image pointers */ -static void *ImageAddress (void *image, unsigned int size, unsigned int address) +static void *ImageAddress (void *image, int size, unsigned int address) { if (address > size) return NULL; @@ -483,19 +483,18 @@ static BOOLEAN secure_mode (void) * Calculate the SHA1 and SHA256 hashes of a binary */ -static EFI_STATUS generate_hash (char *data, int datasize_in, +static EFI_STATUS generate_hash (char *data, int datasize, PE_COFF_LOADER_IMAGE_CONTEXT *context, UINT8 *sha256hash, UINT8 *sha1hash) { unsigned int sha256ctxsize, sha1ctxsize; - unsigned int size; + unsigned int size = datasize; void *sha256ctx = NULL, *sha1ctx = NULL; char *hashbase; unsigned int hashsize; unsigned int SumOfBytesHashed, SumOfSectionBytes; unsigned int index, pos; - unsigned int datasize; EFI_IMAGE_SECTION_HEADER *Section; EFI_IMAGE_SECTION_HEADER *SectionHeader = NULL; EFI_IMAGE_SECTION_HEADER *SectionCache; @@ -507,12 +506,6 @@ static EFI_STATUS generate_hash (char *data, int datasize_in, sha1ctxsize = Sha1GetContextSize(); sha1ctx = AllocatePool(sha1ctxsize); - if (datasize_in < 0) { - Print(L"Invalid data size\n"); - return EFI_INVALID_PARAMETER; - } - size = datasize = (unsigned int)datasize_in; - if (!sha256ctx || !sha1ctx) { Print(L"Unable to allocate memory for hash context\n"); return EFI_OUT_OF_RESOURCES; @@ -563,29 +556,22 @@ static EFI_STATUS generate_hash (char *data, int datasize_in, /* Sort sections */ SumOfBytesHashed = context->PEHdr->Pe32Plus.OptionalHeader.SizeOfHeaders; - /* Validate section locations and sizes */ - for (index = 0, SumOfSectionBytes = 0; index < context->PEHdr->Pe32.FileHeader.NumberOfSections; index++, SectionCache++) { - EFI_IMAGE_SECTION_HEADER *SectionPtr; + Section = (EFI_IMAGE_SECTION_HEADER *) ( + (char *)context->PEHdr + sizeof (UINT32) + + sizeof (EFI_IMAGE_FILE_HEADER) + + context->PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + ); - /* Validate SectionPtr is within image */ - SectionPtr = ImageAddress(data, datasize, - sizeof (UINT32) + - sizeof (EFI_IMAGE_FILE_HEADER) + - context->PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + - (index * sizeof(*SectionPtr))); - if (!SectionPtr) { - Print(L"Malformed section %d\n", index); - status = EFI_INVALID_PARAMETER; - goto done; - } - /* Validate section size is within image. */ - if (SectionPtr->SizeOfRawData > - datasize - SumOfBytesHashed - SumOfSectionBytes) { - Print(L"Malformed section %d size\n", index); - status = EFI_INVALID_PARAMETER; - goto done; - } - SumOfSectionBytes += SectionPtr->SizeOfRawData; + SectionCache = Section; + + for (index = 0, SumOfSectionBytes = 0; index < context->PEHdr->Pe32.FileHeader.NumberOfSections; index++, SectionCache++) { + SumOfSectionBytes += SectionCache->SizeOfRawData; + } + + if (SumOfSectionBytes >= datasize) { + Print(L"Malformed binary: %x %x\n", SumOfSectionBytes, size); + status = EFI_INVALID_PARAMETER; + goto done; } SectionHeader = (EFI_IMAGE_SECTION_HEADER *) AllocateZeroPool (sizeof (EFI_IMAGE_SECTION_HEADER) * context->PEHdr->Pe32.FileHeader.NumberOfSections); @@ -595,11 +581,6 @@ static EFI_STATUS generate_hash (char *data, int datasize_in, goto done; } - /* Already validated above */ - Section = ImageAddress(data, datasize, sizeof (UINT32) + - sizeof (EFI_IMAGE_FILE_HEADER) + - context->PEHdr->Pe32.FileHeader.SizeOfOptionalHeader); - /* Sort the section headers */ for (index = 0; index < context->PEHdr->Pe32.FileHeader.NumberOfSections; index++) { pos = index; @@ -617,8 +598,8 @@ static EFI_STATUS generate_hash (char *data, int datasize_in, if (Section->SizeOfRawData == 0) { continue; } - hashbase = ImageAddress(data, size, - Section->PointerToRawData); + hashbase = ImageAddress(data, size, Section->PointerToRawData); + hashsize = (unsigned int) Section->SizeOfRawData; if (!hashbase) { Print(L"Malformed section header\n"); @@ -626,15 +607,6 @@ static EFI_STATUS generate_hash (char *data, int datasize_in, goto done; } - /* Verify hashsize within image. */ - if (Section->SizeOfRawData > - datasize - Section->PointerToRawData) { - Print(L"Malformed section raw size %d\n", index); - status = EFI_INVALID_PARAMETER; - goto done; - } - hashsize = (unsigned int) Section->SizeOfRawData; - if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || !(Sha1Update(sha1ctx, hashbase, hashsize))) { Print(L"Unable to generate hash\n"); @@ -645,10 +617,10 @@ static EFI_STATUS generate_hash (char *data, int datasize_in, } /* Hash all remaining data */ - if (datasize > SumOfBytesHashed) { + if (size > SumOfBytesHashed) { hashbase = data + SumOfBytesHashed; hashsize = (unsigned int)( - datasize - + size - context->PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY].Size - SumOfBytesHashed); @@ -878,8 +850,7 @@ static EFI_STATUS read_header(void *data, unsigned int datasize, return EFI_UNSUPPORTED; } - if ((unsigned long)((UINT8 *)context->SecDir - (UINT8 *)data) > - (datasize - sizeof(EFI_IMAGE_DATA_DIRECTORY))) { + if (((UINT8 *)context->SecDir - (UINT8 *)data) > (datasize - sizeof(EFI_IMAGE_DATA_DIRECTORY))) { Print(L"Invalid image\n"); return EFI_UNSUPPORTED; } @@ -899,8 +870,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, { EFI_STATUS efi_status; char *buffer; - int i; - unsigned int size; + int i, size; EFI_IMAGE_SECTION_HEADER *Section; char *base, *end; PE_COFF_LOADER_IMAGE_CONTEXT context; @@ -1077,8 +1047,7 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath, { EFI_DEVICE_PATH *devpath; EFI_HANDLE device; - unsigned int i; - int j, last = -1; + int i, j, last = -1; unsigned int pathlen = 0; EFI_STATUS efi_status = EFI_SUCCESS; CHAR16 *bootpath; @@ -1633,10 +1602,9 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) EFI_STATUS status; EFI_LOADED_IMAGE *li; CHAR16 *start = NULL, *c; - unsigned int i; - int remaining_size = 0; + int i, remaining_size = 0; CHAR16 *loader_str = NULL; - unsigned int loader_len = 0; + int loader_len = 0; second_stage = DEFAULT_LOADER; load_options = NULL; From 321797142eb9491aaada80a9b514e6a4005d3eec Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 28 Oct 2013 10:41:03 -0400 Subject: [PATCH 083/163] We should be checking both mok and the system's SB settings When we call hook_system_services(), we're currently only checking mok's setting. We should use secure_mode() instead so it'll check both. Signed-off-by: Peter Jones --- shim.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shim.c b/shim.c index 537177d..9d0d884 100644 --- a/shim.c +++ b/shim.c @@ -1718,7 +1718,7 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) /* * Tell the user that we're in insecure mode if necessary */ - if (insecure_mode) { + if (!secure_mode()) { Print(L"Booting in insecure mode\n"); uefi_call_wrapper(BS->Stall, 1, 2000000); } else { From 6b1f8796ffe5d10a4993b4460178bc8cb3b4e70a Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 30 Oct 2013 16:36:01 -0400 Subject: [PATCH 084/163] Don't free GetVariable() return data without checking the status code. This breaks every machine from before Secure Boot was a thing. Signed-off-by: Peter Jones --- shim.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/shim.c b/shim.c index 9d0d884..0081342 100644 --- a/shim.c +++ b/shim.c @@ -456,21 +456,30 @@ static BOOLEAN secure_mode (void) return FALSE; status = get_variable(L"SecureBoot", &Data, &len, global_var); + if (status != EFI_SUCCESS) { + if (verbose) + console_notify(L"Secure boot not enabled\n"); + return FALSE; + } sb = *Data; FreePool(Data); - /* FIXME - more paranoia here? */ - if (status != EFI_SUCCESS || sb != 1) { + if (sb != 1) { if (verbose) console_notify(L"Secure boot not enabled\n"); return FALSE; } status = get_variable(L"SetupMode", &Data, &len, global_var); + if (status == EFI_SUCCESS) { + if (verbose) + console_notify(L"Platform is in setup mode\n"); + return FALSE; + } setupmode = *Data; FreePool(Data); - if (status == EFI_SUCCESS && setupmode == 1) { + if (setupmode == 1) { if (verbose) console_notify(L"Platform is in setup mode\n"); return FALSE; From b2dd8614139d187b568e9ccf73b70156472d0b54 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 31 Oct 2013 11:12:24 -0400 Subject: [PATCH 085/163] Bump version to 0.6 Signed-off-by: Peter Jones --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 0fce466..ab2eb8f 100644 --- a/Makefile +++ b/Makefile @@ -37,7 +37,7 @@ endif LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) -VERSION = 0.5 +VERSION = 0.6 TARGET = shim.efi MokManager.efi.signed fallback.efi.signed OBJS = shim.o netboot.o cert.o replacements.o version.o From acac33809428862c9b37a8b4a7a46e6ce7bd5cd0 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 31 Oct 2013 11:16:32 -0400 Subject: [PATCH 086/163] Make tag its own make target, and make it sign tags. Signed-off-by: Peter Jones --- Makefile | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index ab2eb8f..e928e3a 100644 --- a/Makefile +++ b/Makefile @@ -136,8 +136,10 @@ test-archive: @rm -rf /tmp/shim-$(VERSION) @echo "The archive is in shim-$(VERSION).tar.bz2" -archive: - git tag $(GITTAG) refs/heads/master +tag: + git tag --sign $(GITTAG) refs/heads/master + +archive: tag @rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp @mkdir -p /tmp/shim-$(VERSION)-tmp @git archive --format=tar $(GITTAG) | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x ) From 0948ac09716fefd15c683ca7d6cd38fd92c9e794 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 6 Nov 2013 13:59:02 -0500 Subject: [PATCH 087/163] Fix check logic for SetupMode variable. After going back and inspecting this further, the logic for "SetupMode" being present at all was incorrect. Also initialize our state earlier so it's sure to always be set. Signed-off-by: Peter Jones --- shim.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/shim.c b/shim.c index 0081342..23dd0ee 100644 --- a/shim.c +++ b/shim.c @@ -471,11 +471,9 @@ static BOOLEAN secure_mode (void) } status = get_variable(L"SetupMode", &Data, &len, global_var); - if (status == EFI_SUCCESS) { - if (verbose) - console_notify(L"Platform is in setup mode\n"); - return FALSE; - } + if (status != EFI_SUCCESS) + return TRUE; + setupmode = *Data; FreePool(Data); @@ -1509,14 +1507,15 @@ static EFI_STATUS check_mok_sb (void) UINTN MokSBStateSize = 0; UINT32 attributes; + insecure_mode = 0; + ignore_db = 0; + status = get_variable_attr(L"MokSBState", &MokSBState, &MokSBStateSize, shim_lock_guid, &attributes); if (status != EFI_SUCCESS) return EFI_ACCESS_DENIED; - insecure_mode = 0; - /* * Delete and ignore the variable if it's been set from or could be * modified by the OS From 6ae4e4f946d870bedb68f246cbf735d535a0fc7c Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 6 Nov 2013 14:07:05 -0500 Subject: [PATCH 088/163] Bump version to 0.7. Do not use 0.6; on some machines it misunderstands the SetupMode variable. Signed-off-by: Peter Jones --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index e928e3a..a22c6b3 100644 --- a/Makefile +++ b/Makefile @@ -37,7 +37,7 @@ endif LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) -VERSION = 0.6 +VERSION = 0.7 TARGET = shim.efi MokManager.efi.signed fallback.efi.signed OBJS = shim.o netboot.o cert.o replacements.o version.o From 42426e6eae764da650b963ad1cd957fee7df351a Mon Sep 17 00:00:00 2001 From: Andrew Boie Date: Tue, 12 Nov 2013 10:24:01 -0500 Subject: [PATCH 089/163] fix verify_mok() () Fix the return value semantics. If the MokList doesn't exist, we are OK. If the MokList was compromised but we were able to erase it, that is OK too. Only if the list can't be nuked do we return an error. () Fix use of potentially uninitialized attribute variable () Actually use the return value when called from verify_buffer. Change-Id: If16df21d79c52a1726928df96d133390cde4cb7e Signed-off-by: Andrew Boie --- shim.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/shim.c b/shim.c index 23dd0ee..dcb36d0 100644 --- a/shim.c +++ b/shim.c @@ -670,13 +670,12 @@ static EFI_STATUS verify_mok (void) { status = get_variable_attr(L"MokList", &MokListData, &MokListDataSize, shim_lock_guid, &attributes); - if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) { + if (!EFI_ERROR(status) && attributes & EFI_VARIABLE_RUNTIME_ACCESS) { Print(L"MokList is compromised!\nErase all keys in MokList!\n"); if (LibDeleteVariable(L"MokList", &shim_lock_guid) != EFI_SUCCESS) { Print(L"Failed to erase MokList\n"); + return EFI_ACCESS_DENIED; } - status = EFI_ACCESS_DENIED; - return status; } if (MokListData) @@ -722,7 +721,9 @@ static EFI_STATUS verify_buffer (char *data, int datasize, /* * Check that the MOK database hasn't been modified */ - verify_mok(); + status = verify_mok(); + if (status != EFI_SUCCESS) + return status; /* * Ensure that the binary isn't blacklisted From b6a12d99be4659e85f383061749f2bd2f8e8f2d2 Mon Sep 17 00:00:00 2001 From: Mohanraj S Date: Tue, 12 Nov 2013 10:25:23 -0500 Subject: [PATCH 090/163] shim.c: Add support for hashing/relocation of 32-bit binaries Change-Id: Ib93305f7f1691d1b142567507df1058de62dde06 Signed-off-by: Andrew Boie --- shim.c | 72 +++++++++++++++++++++++++++++++++++++++------------------- 1 file changed, 49 insertions(+), 23 deletions(-) diff --git a/shim.c b/shim.c index dcb36d0..a043779 100644 --- a/shim.c +++ b/shim.c @@ -126,7 +126,11 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, int size = context->ImageSize; void *ImageEnd = (char *)data + size; +#if __LP64__ context->PEHdr->Pe32Plus.OptionalHeader.ImageBase = (UINT64)data; +#else + context->PEHdr->Pe32.OptionalHeader.ImageBase = (UINT32)data; +#endif if (context->NumberOfRvaAndSizes <= EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC) { Print(L"Image has no relocation entry\n"); @@ -141,7 +145,7 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, return EFI_UNSUPPORTED; } - Adjust = (UINT64)data - context->ImageAddress; + Adjust = (UINTN)data - context->ImageAddress; if (Adjust == 0) return EFI_SUCCESS; @@ -549,9 +553,15 @@ static EFI_STATUS generate_hash (char *data, int datasize, } /* Hash end of certificate table to end of image header */ +#if __LP64__ hashbase = (char *) &context->PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1]; hashsize = context->PEHdr->Pe32Plus.OptionalHeader.SizeOfHeaders - (int) ((char *) (&context->PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1]) - data); +#else + hashbase = (char *) &context->PEHdr->Pe32.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1]; + hashsize = context->PEHdr->Pe32.OptionalHeader.SizeOfHeaders - + (int) ((char *) (&context->PEHdr->Pe32.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1]) - data); +#endif if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || !(Sha1Update(sha1ctx, hashbase, hashsize))) { @@ -561,7 +571,11 @@ static EFI_STATUS generate_hash (char *data, int datasize, } /* Sort sections */ +#if __LP64__ SumOfBytesHashed = context->PEHdr->Pe32Plus.OptionalHeader.SizeOfHeaders; +#else + SumOfBytesHashed = context->PEHdr->Pe32.OptionalHeader.SizeOfHeaders; +#endif Section = (EFI_IMAGE_SECTION_HEADER *) ( (char *)context->PEHdr + sizeof (UINT32) + @@ -628,7 +642,11 @@ static EFI_STATUS generate_hash (char *data, int datasize, hashbase = data + SumOfBytesHashed; hashsize = (unsigned int)( size - +#if __LP64__ context->PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY].Size - +#else + context->PEHdr->Pe32.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY].Size - +#endif SumOfBytesHashed); if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || @@ -781,7 +799,7 @@ static EFI_STATUS read_header(void *data, unsigned int datasize, { EFI_IMAGE_DOS_HEADER *DosHdr = data; EFI_IMAGE_OPTIONAL_HEADER_UNION *PEHdr = data; - unsigned long HeaderWithoutDataDir, SectionHeaderOffset; + unsigned long HeaderWithoutDataDir, SectionHeaderOffset, OptHeaderSize; if (datasize < sizeof(EFI_IMAGE_DOS_HEADER)) { Print(L"Invalid image\n"); @@ -790,18 +808,28 @@ static EFI_STATUS read_header(void *data, unsigned int datasize, if (DosHdr->e_magic == EFI_IMAGE_DOS_SIGNATURE) PEHdr = (EFI_IMAGE_OPTIONAL_HEADER_UNION *)((char *)data + DosHdr->e_lfanew); +#if __LP64__ + context->NumberOfRvaAndSizes = PEHdr->Pe32Plus.OptionalHeader.NumberOfRvaAndSizes; + context->SizeOfHeaders = PEHdr->Pe32Plus.OptionalHeader.SizeOfHeaders; + context->ImageSize = PEHdr->Pe32Plus.OptionalHeader.SizeOfImage; + OptHeaderSize = sizeof(EFI_IMAGE_OPTIONAL_HEADER64); +#else + context->NumberOfRvaAndSizes = PEHdr->Pe32.OptionalHeader.NumberOfRvaAndSizes; + context->SizeOfHeaders = PEHdr->Pe32.OptionalHeader.SizeOfHeaders; + context->ImageSize = (UINT64)PEHdr->Pe32.OptionalHeader.SizeOfImage; + OptHeaderSize = sizeof(EFI_IMAGE_OPTIONAL_HEADER32); +#endif + context->NumberOfSections = PEHdr->Pe32.FileHeader.NumberOfSections; - if (EFI_IMAGE_NUMBER_OF_DIRECTORY_ENTRIES - < PEHdr->Pe32Plus.OptionalHeader.NumberOfRvaAndSizes) { + if (EFI_IMAGE_NUMBER_OF_DIRECTORY_ENTRIES < context->NumberOfRvaAndSizes) { Print(L"Image header too small\n"); return EFI_UNSUPPORTED; } - HeaderWithoutDataDir = sizeof (EFI_IMAGE_OPTIONAL_HEADER64) + HeaderWithoutDataDir = OptHeaderSize - sizeof (EFI_IMAGE_DATA_DIRECTORY) * EFI_IMAGE_NUMBER_OF_DIRECTORY_ENTRIES; - if (((UINT32)PEHdr->Pe32Plus.FileHeader.SizeOfOptionalHeader - HeaderWithoutDataDir) != - PEHdr->Pe32Plus.OptionalHeader.NumberOfRvaAndSizes - * sizeof (EFI_IMAGE_DATA_DIRECTORY)) { + if (((UINT32)PEHdr->Pe32.FileHeader.SizeOfOptionalHeader - HeaderWithoutDataDir) != + context->NumberOfRvaAndSizes * sizeof (EFI_IMAGE_DATA_DIRECTORY)) { Print(L"Image header overflows data directory\n"); return EFI_UNSUPPORTED; } @@ -809,15 +837,15 @@ static EFI_STATUS read_header(void *data, unsigned int datasize, SectionHeaderOffset = DosHdr->e_lfanew + sizeof (UINT32) + sizeof (EFI_IMAGE_FILE_HEADER) - + PEHdr->Pe32Plus.FileHeader.SizeOfOptionalHeader; - if ((PEHdr->Pe32Plus.OptionalHeader.SizeOfImage - SectionHeaderOffset) / EFI_IMAGE_SIZEOF_SECTION_HEADER - <= PEHdr->Pe32Plus.FileHeader.NumberOfSections) { + + PEHdr->Pe32.FileHeader.SizeOfOptionalHeader; + if (((UINT32)context->ImageSize - SectionHeaderOffset) / EFI_IMAGE_SIZEOF_SECTION_HEADER + <= context->NumberOfSections) { Print(L"Image sections overflow image size\n"); return EFI_UNSUPPORTED; } - if ((PEHdr->Pe32Plus.OptionalHeader.SizeOfHeaders - SectionHeaderOffset) / EFI_IMAGE_SIZEOF_SECTION_HEADER - < (UINT32)PEHdr->Pe32Plus.FileHeader.NumberOfSections) { + if ((context->SizeOfHeaders - SectionHeaderOffset) / EFI_IMAGE_SIZEOF_SECTION_HEADER + < (UINT32)context->NumberOfSections) { Print(L"Image sections overflow section headers\n"); return EFI_UNSUPPORTED; } @@ -837,21 +865,19 @@ static EFI_STATUS read_header(void *data, unsigned int datasize, return EFI_UNSUPPORTED; } - if (PEHdr->Pe32.OptionalHeader.Magic != EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC) { - Print(L"Only 64-bit images supported\n"); - return EFI_UNSUPPORTED; - } - context->PEHdr = PEHdr; +#if __LP64__ context->ImageAddress = PEHdr->Pe32Plus.OptionalHeader.ImageBase; - context->ImageSize = (UINT64)PEHdr->Pe32Plus.OptionalHeader.SizeOfImage; - context->SizeOfHeaders = PEHdr->Pe32Plus.OptionalHeader.SizeOfHeaders; context->EntryPoint = PEHdr->Pe32Plus.OptionalHeader.AddressOfEntryPoint; context->RelocDir = &PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC]; - context->NumberOfRvaAndSizes = PEHdr->Pe32Plus.OptionalHeader.NumberOfRvaAndSizes; - context->NumberOfSections = PEHdr->Pe32.FileHeader.NumberOfSections; - context->FirstSection = (EFI_IMAGE_SECTION_HEADER *)((char *)PEHdr + PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + sizeof(UINT32) + sizeof(EFI_IMAGE_FILE_HEADER)); context->SecDir = (EFI_IMAGE_DATA_DIRECTORY *) &PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]; +#else + context->ImageAddress = PEHdr->Pe32.OptionalHeader.ImageBase; + context->EntryPoint = PEHdr->Pe32.OptionalHeader.AddressOfEntryPoint; + context->RelocDir = &PEHdr->Pe32.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC]; + context->SecDir = (EFI_IMAGE_DATA_DIRECTORY *) &PEHdr->Pe32.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]; +#endif + context->FirstSection = (EFI_IMAGE_SECTION_HEADER *)((char *)PEHdr + PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + sizeof(UINT32) + sizeof(EFI_IMAGE_FILE_HEADER)); if (context->ImageSize < context->SizeOfHeaders) { Print(L"Invalid image\n"); From 75d0c1d8219047d0dfc80dea8752ea695516f19d Mon Sep 17 00:00:00 2001 From: Andrew Boie Date: Tue, 12 Nov 2013 10:25:40 -0500 Subject: [PATCH 091/163] netboot.h: fix build error on 32-bit systems Function prototype/implementation mismatch. Change-Id: I89aaae1b49d0372d3aed76fc21c194e0ae55f72e Signed-off-by: Andrew Boie --- netboot.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/netboot.h b/netboot.h index 2cdb421..6417373 100644 --- a/netboot.h +++ b/netboot.h @@ -5,5 +5,5 @@ extern BOOLEAN findNetboot(EFI_HANDLE image_handle); extern EFI_STATUS parseNetbootinfo(EFI_HANDLE image_handle); -extern EFI_STATUS FetchNetbootimage(EFI_HANDLE image_handle, VOID **buffer, UINTN *bufsiz); +extern EFI_STATUS FetchNetbootimage(EFI_HANDLE image_handle, VOID **buffer, UINT64 *bufsiz); #endif From e226b35e65d7bcb63924519e009f8415f2c4c23f Mon Sep 17 00:00:00 2001 From: Andrey Petrov Date: Tue, 12 Nov 2013 10:25:51 -0500 Subject: [PATCH 092/163] properly compile OpenSSL in 32-bit mode Change-Id: Iff3ee5ae0f0b95b282b99a23e465723b4e9f6104 Signed-off-by: Andrey Petrov Signed-off-by: Andrew Boie --- Cryptlib/OpenSSL/Makefile | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile index c93d5af..3d5a87c 100644 --- a/Cryptlib/OpenSSL/Makefile +++ b/Cryptlib/OpenSSL/Makefile @@ -10,9 +10,12 @@ LIB_GCC = $(shell $(CC) -print-libgcc-file-name) EFI_LIBS = -lefi -lgnuefi $(LIB_GCC) CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc -mno-mmx -mno-sse -mno-red-zone -maccumulate-outgoing-args \ - -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -DSIXTY_FOUR_BIT_LONG -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC + -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC ifeq ($(ARCH),x86_64) - CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI + CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI -DSIXTY_FOUR_BIT_LONG +endif +ifeq ($(ARCH),ia32) + CFLAGS += -DTHIRTY_TWO_BIT endif LDFLAGS = -nostdlib -znocombreloc From 2c5f9938addac2d259c9db37f3f119cc9cd4c6ac Mon Sep 17 00:00:00 2001 From: Andrew Boie Date: Tue, 12 Nov 2013 10:30:02 -0500 Subject: [PATCH 093/163] fallback.c: fix 32-bit compilation fh->Read expects pointer to 32-bit int, use UINTN Change-Id: If1a728efd51a9a24dfcd8123e84bf4c0713491fe Signed-off-by: Andrew Boie --- fallback.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fallback.c b/fallback.c index 82ddbf2..c875144 100644 --- a/fallback.c +++ b/fallback.c @@ -15,7 +15,7 @@ EFI_LOADED_IMAGE *this_image = NULL; static EFI_STATUS -get_file_size(EFI_FILE_HANDLE fh, UINT64 *retsize) +get_file_size(EFI_FILE_HANDLE fh, UINTN *retsize) { EFI_STATUS rc; void *buffer = NULL; @@ -60,7 +60,7 @@ read_file(EFI_FILE_HANDLE fh, CHAR16 *fullpath, CHAR16 **buffer, UINT64 *bs) return rc; } - UINT64 len = 0; + UINTN len = 0; CHAR16 *b = NULL; rc = get_file_size(fh2, &len); if (EFI_ERROR(rc)) { From 663b2b931f95350894f011d77f4124bd2d41d806 Mon Sep 17 00:00:00 2001 From: Andrew Boie Date: Tue, 12 Nov 2013 10:30:30 -0500 Subject: [PATCH 094/163] fix fallback.so build dependency Exposed during parallel builds Change-Id: I9867858166dcafd69438f37ee5da14a267ace8f4 Signed-off-by: Andrew Boie --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index a22c6b3..2eab862 100644 --- a/Makefile +++ b/Makefile @@ -83,7 +83,7 @@ shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a fallback.o: $(FALLBACK_SRCS) -fallback.so: $(FALLBACK_OBJS) +fallback.so: $(FALLBACK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) MokManager.o: $(MOK_SOURCES) From cfac0bb9f40f7d1fbd1de9bbff87df65e7392f1b Mon Sep 17 00:00:00 2001 From: Andrew Boie Date: Tue, 12 Nov 2013 10:30:53 -0500 Subject: [PATCH 095/163] propagate some path variables If these are overridden on the command line, pass them along to the sub-makes. Change-Id: I531ccb5d2f5e4be8e99d4892cdcfffffc1ad9877 Signed-off-by: Andrew Boie --- Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 2eab862..d619ff4 100644 --- a/Makefile +++ b/Makefile @@ -92,13 +92,13 @@ MokManager.so: $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a Cryptlib/libcryptlib.a: - $(MAKE) -C Cryptlib + $(MAKE) -C Cryptlib EFI_PATH=$(EFI_PATH) EFI_INCLUDE=$(EFI_INCLUDE) ARCH=$(ARCH) Cryptlib/OpenSSL/libopenssl.a: - $(MAKE) -C Cryptlib/OpenSSL + $(MAKE) -C Cryptlib/OpenSSL EFI_PATH=$(EFI_PATH) EFI_INCLUDE=$(EFI_INCLUDE) ARCH=$(ARCH) lib/lib.a: - $(MAKE) -C lib EFI_PATH=$(EFI_PATH) + $(MAKE) -C lib EFI_PATH=$(EFI_PATH) EFI_INCLUDE=$(EFI_INCLUDE) ARCH=$(ARCH) %.efi: %.so objcopy -j .text -j .sdata -j .data \ From 6caa9bad715eba8ce423527f8b876a636327b0be Mon Sep 17 00:00:00 2001 From: Andrew Boie Date: Tue, 12 Nov 2013 10:31:59 -0500 Subject: [PATCH 096/163] allow 32-bit compilation with 64-bit compiler Also removed unused LIB_PATH from some Makefiles. Change-Id: I7d28d18f7531b51b6121a2ffb88bcaedec57c467 Signed-off-by: Andrew Boie --- Cryptlib/Makefile | 5 +++-- Cryptlib/OpenSSL/Makefile | 4 +--- Makefile | 3 +++ lib/Makefile | 3 +++ 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile index a05a4db..d24e59e 100644 --- a/Cryptlib/Makefile +++ b/Cryptlib/Makefile @@ -1,7 +1,5 @@ ARCH = $(shell uname -m | sed s,i[3456789]86,ia32,) -LIB_PATH = /usr/lib64 - EFI_INCLUDE = /usr/include/efi EFI_INCLUDES = -nostdinc -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol EFI_PATH = /usr/lib64/gnuefi @@ -14,6 +12,9 @@ CFLAGS = -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort- ifeq ($(ARCH),x86_64) CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI endif +ifeq ($(ARCH),ia32) + CFLAGS += -m32 +endif LDFLAGS = -nostdlib -znocombreloc TARGET = libcryptlib.a diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile index 3d5a87c..8e2f2a6 100644 --- a/Cryptlib/OpenSSL/Makefile +++ b/Cryptlib/OpenSSL/Makefile @@ -1,7 +1,5 @@ ARCH = $(shell uname -m | sed s,i[3456789]86,ia32,) -LIB_PATH = /usr/lib64 - EFI_INCLUDE = /usr/include/efi EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol EFI_PATH = /usr/lib64/gnuefi @@ -15,7 +13,7 @@ ifeq ($(ARCH),x86_64) CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI -DSIXTY_FOUR_BIT_LONG endif ifeq ($(ARCH),ia32) - CFLAGS += -DTHIRTY_TWO_BIT + CFLAGS += -m32 -DTHIRTY_TWO_BIT endif LDFLAGS = -nostdlib -znocombreloc diff --git a/Makefile b/Makefile index d619ff4..e65d28d 100644 --- a/Makefile +++ b/Makefile @@ -28,6 +28,9 @@ endif ifeq ($(ARCH),x86_64) CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI endif +ifeq ($(ARCH),ia32) + CFLAGS += -m32 +endif ifneq ($(origin VENDOR_CERT_FILE), undefined) CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\" endif diff --git a/lib/Makefile b/lib/Makefile index adb0347..a9c9cf6 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -17,6 +17,9 @@ CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ ifeq ($(ARCH),x86_64) CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI endif +ifeq ($(ARCH),ia32) + CFLAGS += -m32 +endif lib.a: $(LIBFILES) ar rcs lib.a $(LIBFILES) From acacfca319119bb86c32674034edab42df670619 Mon Sep 17 00:00:00 2001 From: Andrew Boie Date: Tue, 12 Nov 2013 10:32:48 -0500 Subject: [PATCH 097/163] shim: improve error messages %r when used in Print() will show a string representation of an EFI_STATUS code. Change-Id: I6db47f5213454603bd66177aca378ad01e9f0bd4 Signed-off-by: Andrew Boie --- shim.c | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/shim.c b/shim.c index a043779..9ae1936 100644 --- a/shim.c +++ b/shim.c @@ -914,7 +914,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, */ efi_status = read_header(data, datasize, &context); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to read header\n"); + Print(L"Failed to read header: %r\n", efi_status); return efi_status; } @@ -981,7 +981,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, efi_status = relocate_coff(&context, buffer); if (efi_status != EFI_SUCCESS) { - Print(L"Relocation failed\n"); + Print(L"Relocation failed: %r\n", efi_status); FreePool(buffer); return efi_status; } @@ -1022,7 +1022,7 @@ should_use_fallback(EFI_HANDLE image_handle) rc = uefi_call_wrapper(BS->HandleProtocol, 3, image_handle, &loaded_image_protocol, (void **)&li); if (EFI_ERROR(rc)) { - Print(L"Could not get image for bootx64.efi: %d\n", rc); + Print(L"Could not get image for bootx64.efi: %r\n", rc); return 0; } @@ -1044,13 +1044,13 @@ should_use_fallback(EFI_HANDLE image_handle) rc = uefi_call_wrapper(BS->HandleProtocol, 3, li->DeviceHandle, &FileSystemProtocol, (void **)&fio); if (EFI_ERROR(rc)) { - Print(L"Could not get fio for li->DeviceHandle: %d\n", rc); + Print(L"Could not get fio for li->DeviceHandle: %r\n", rc); return 0; } rc = uefi_call_wrapper(fio->OpenVolume, 2, fio, &vh); if (EFI_ERROR(rc)) { - Print(L"Could not open fio volume: %d\n", rc); + Print(L"Could not open fio volume: %r\n", rc); return 0; } @@ -1172,14 +1172,14 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, (void **)&drive); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to find fs\n"); + Print(L"Failed to find fs: %r\n", efi_status); goto error; } efi_status = uefi_call_wrapper(drive->OpenVolume, 2, drive, &root); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to open fs\n"); + Print(L"Failed to open fs: %r\n", efi_status); goto error; } @@ -1190,7 +1190,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, EFI_FILE_MODE_READ, 0); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to open %s - %lx\n", PathName, efi_status); + Print(L"Failed to open %s - %r\n", PathName, efi_status); goto error; } @@ -1223,7 +1223,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, } if (efi_status != EFI_SUCCESS) { - Print(L"Unable to get file info\n"); + Print(L"Unable to get file info: %r\n", efi_status); goto error; } @@ -1251,7 +1251,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, } if (efi_status != EFI_SUCCESS) { - Print(L"Unexpected return from initial read: %x, buffersize %x\n", efi_status, buffersize); + Print(L"Unexpected return from initial read: %r, buffersize %x\n", efi_status, buffersize); goto error; } @@ -1328,20 +1328,20 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) efi_status = generate_path(li, ImagePath, &path, &PathName); if (efi_status != EFI_SUCCESS) { - Print(L"Unable to generate path: %s\n", ImagePath); + Print(L"Unable to generate path %s: %r\n", ImagePath, efi_status); goto done; } if (findNetboot(image_handle)) { efi_status = parseNetbootinfo(image_handle); if (efi_status != EFI_SUCCESS) { - Print(L"Netboot parsing failed: %d\n", efi_status); + Print(L"Netboot parsing failed: %r\n", efi_status); return EFI_PROTOCOL_ERROR; } efi_status = FetchNetbootimage(image_handle, &sourcebuffer, &sourcesize); if (efi_status != EFI_SUCCESS) { - Print(L"Unable to fetch TFTP image\n"); + Print(L"Unable to fetch TFTP image: %r\n", efi_status); return efi_status; } data = sourcebuffer; @@ -1353,7 +1353,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) efi_status = load_image(li, &data, &datasize, PathName); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to load image\n"); + Print(L"Failed to load image %s: %r\n", PathName, efi_status); goto done; } } @@ -1370,7 +1370,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) efi_status = handle_image(data, datasize, li); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to load image\n"); + Print(L"Failed to load image: %r\n", efi_status); CopyMem(li, &li_bak, sizeof(li_bak)); goto done; } @@ -1473,7 +1473,7 @@ EFI_STATUS mirror_mok_list() | EFI_VARIABLE_RUNTIME_ACCESS, FullDataSize, FullData); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to set MokListRT %d\n", efi_status); + Print(L"Failed to set MokListRT: %r\n", efi_status); } return efi_status; @@ -1514,7 +1514,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle) efi_status = start_image(image_handle, MOK_MANAGER); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to start MokManager\n"); + Print(L"Failed to start MokManager: %r\n", efi_status); return efi_status; } } @@ -1621,7 +1621,7 @@ static EFI_STATUS mok_ignore_db() | EFI_VARIABLE_RUNTIME_ACCESS, DataSize, (void *)&Data); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to set MokIgnoreDB %d\n", efi_status); + Print(L"Failed to set MokIgnoreDB: %r\n", efi_status); } } @@ -1648,7 +1648,7 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) status = uefi_call_wrapper(BS->HandleProtocol, 3, image_handle, &LoadedImageProtocol, (void **) &li); if (status != EFI_SUCCESS) { - Print (L"Failed to get load options\n"); + Print (L"Failed to get load options: %r\n", status); return status; } From e60f118155e55f33c3ea9045abc2c43851d82516 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 19 Nov 2013 10:20:34 -0500 Subject: [PATCH 098/163] Clarify meaning of insecure_mode insecure_mode was intended to indicate that the user had explicity disabled checks with mokutil, which means it wasn't the opposite of secure_mode(). Change the names to clarify this and don't show the insecure mode message unless the user has explicitly enabled that mode. Signed-off-by: Matthew Garrett --- replacements.c | 6 ------ shim.c | 12 ++++++------ 2 files changed, 6 insertions(+), 12 deletions(-) diff --git a/replacements.c b/replacements.c index bac5e5d..5ea5c32 100644 --- a/replacements.c +++ b/replacements.c @@ -64,13 +64,9 @@ static typeof(systab->BootServices->StartImage) system_start_image; static typeof(systab->BootServices->Exit) system_exit; static typeof(systab->BootServices->ExitBootServices) system_exit_boot_services; -extern UINT8 insecure_mode; - void unhook_system_services(void) { - if (insecure_mode) - return; systab->BootServices->Exit = system_exit; systab->BootServices->StartImage = system_start_image; systab->BootServices->ExitBootServices = system_exit_boot_services; @@ -123,8 +119,6 @@ exit(EFI_HANDLE ImageHandle, EFI_STATUS ExitStatus, void hook_system_services(EFI_SYSTEM_TABLE *local_systab) { - if (insecure_mode) - return; systab = local_systab; /* We need to hook various calls to make this work... */ diff --git a/shim.c b/shim.c index 9ae1936..524f5fc 100644 --- a/shim.c +++ b/shim.c @@ -85,7 +85,7 @@ int loader_is_participating; #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }} -UINT8 insecure_mode; +UINT8 user_insecure_mode; UINT8 ignore_db; typedef enum { @@ -456,7 +456,7 @@ static BOOLEAN secure_mode (void) UINT8 *Data; UINT8 sb, setupmode; - if (insecure_mode) + if (user_insecure_mode) return FALSE; status = get_variable(L"SecureBoot", &Data, &len, global_var); @@ -1534,7 +1534,7 @@ static EFI_STATUS check_mok_sb (void) UINTN MokSBStateSize = 0; UINT32 attributes; - insecure_mode = 0; + user_insecure_mode = 0; ignore_db = 0; status = get_variable_attr(L"MokSBState", &MokSBState, &MokSBStateSize, @@ -1555,7 +1555,7 @@ static EFI_STATUS check_mok_sb (void) status = EFI_ACCESS_DENIED; } else { if (*(UINT8 *)MokSBState == 1) { - insecure_mode = 1; + user_insecure_mode = 1; } } @@ -1753,10 +1753,10 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) /* * Tell the user that we're in insecure mode if necessary */ - if (!secure_mode()) { + if (user_insecure_mode) { Print(L"Booting in insecure mode\n"); uefi_call_wrapper(BS->Stall, 1, 2000000); - } else { + } else if (secure_mode()) { /* * Install our hooks for ExitBootServices() and StartImage() */ From 7c1f49dacc1c39e6286d6e27d4348ea34968a175 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 19 Nov 2013 10:20:34 -0500 Subject: [PATCH 099/163] Don't hook system services if shim has no built-in keys Shim should only need to enforce its security policy when its launching binaries signed with its built-in key. Binaries signed by keys in db or Mokdb should be able to rely on their own security policy. Signed-off-by: Matthew Garrett --- shim.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/shim.c b/shim.c index 524f5fc..cf93d65 100644 --- a/shim.c +++ b/shim.c @@ -1757,11 +1757,15 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) Print(L"Booting in insecure mode\n"); uefi_call_wrapper(BS->Stall, 1, 2000000); } else if (secure_mode()) { - /* - * Install our hooks for ExitBootServices() and StartImage() - */ - hook_system_services(systab); - loader_is_participating = 0; + if (vendor_cert_size || vendor_dbx_size) { + /* + * If shim includes its own certificates then ensure + * that anything it boots has performed some + * validation of the next image. + */ + hook_system_services(systab); + loader_is_participating = 0; + } } /* From d9355ab635b2e620e6d908317627b7aa9718a999 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 21 Nov 2013 11:48:24 -0500 Subject: [PATCH 100/163] Fix path generation for Dhcpv4 bootloader. Right now we always look for e.g. "\grubx64.efi", which is completely wrong. This makes it look for the path shim was loaded from and modify that to end in a sanitized version of our default loader name. Resolves: rhbz#1032583 Signed-off-by: Peter Jones --- include/str.h | 45 +++++++++++++++++++++++++++++++++++++++++++++ netboot.c | 28 +++++++++++++++++++++------- 2 files changed, 66 insertions(+), 7 deletions(-) create mode 100644 include/str.h diff --git a/include/str.h b/include/str.h new file mode 100644 index 0000000..0f3e003 --- /dev/null +++ b/include/str.h @@ -0,0 +1,45 @@ +#ifndef SHIM_STR_H +#define SHIM_STR_H + +static inline +__attribute__((unused)) +unsigned long strnlena(const CHAR8 *s, unsigned long n) +{ + unsigned long i; + for (i = 0; i <= n; i++) + if (s[i] == '\0') + break; + return i; +} + +static inline +__attribute__((unused)) +CHAR8 * +strncpya(CHAR8 *dest, const CHAR8 *src, unsigned long n) +{ + unsigned long i; + + for (i = 0; i < n && src[i] != '\0'; i++) + dest[i] = src[i]; + for (; i < n; i++) + dest[i] = '\0'; + + return dest; +} + +static inline +__attribute__((unused)) +CHAR8 * +strcata(CHAR8 *dest, const CHAR8 *src) +{ + unsigned long dest_len = strlena(dest); + unsigned long i; + + for (i = 0; src[i] != '\0'; i++) + dest[dest_len + i] = src[i]; + dest[dest_len + i] = '\0'; + + return dest; +} + +#endif /* SHIM_STR_H */ diff --git a/netboot.c b/netboot.c index a83c82a..1732dc7 100644 --- a/netboot.c +++ b/netboot.c @@ -38,6 +38,7 @@ #include #include "shim.h" #include "netboot.h" +#include "str.h" static inline unsigned short int __swap16(unsigned short int x) { @@ -305,19 +306,32 @@ static EFI_STATUS parseDhcp6() static EFI_STATUS parseDhcp4() { - CHAR8 *template = (CHAR8 *)DEFAULT_LOADER_CHAR; - full_path = AllocateZeroPool(strlen(template)+1); + CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR); + UINTN template_len = strlen(template) + 1; + + UINTN dir_len = strnlena(pxe->Mode->DhcpAck.Dhcpv4.BootpBootFile, 127); + UINTN i; + UINT8 *dir = pxe->Mode->DhcpAck.Dhcpv4.BootpBootFile; + + for (i = dir_len; i >= 0; i--) { + if (dir[i] == '/') + break; + } + dir_len = (i >= 0) ? i + 1 : 0; + + full_path = AllocateZeroPool(dir_len + template_len); if (!full_path) return EFI_OUT_OF_RESOURCES; + if (dir_len > 0) { + strncpya(full_path, dir, dir_len); + if (full_path[dir_len-1] == '/' && template[0] == '/') + full_path[dir_len-1] = '\0'; + } + strcata(full_path, template); memcpy(&tftp_addr.v4, pxe->Mode->DhcpAck.Dhcpv4.BootpSiAddr, 4); - memcpy(full_path, template, strlen(template)); - - /* Note we don't capture the filename option here because we know its shim.efi - * We instead assume the filename at the end of the path is going to be grubx64.efi - */ return EFI_SUCCESS; } From e724cfb1bf7834c21fbab2baff289e8633633c14 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 21 Nov 2013 11:48:24 -0500 Subject: [PATCH 101/163] Lengths that might be -1 can't be unsigned, Peter. Signed-off-by: Peter Jones --- netboot.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/netboot.c b/netboot.c index 1732dc7..07e2773 100644 --- a/netboot.c +++ b/netboot.c @@ -307,10 +307,10 @@ static EFI_STATUS parseDhcp6() static EFI_STATUS parseDhcp4() { CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR); - UINTN template_len = strlen(template) + 1; + INTN template_len = strlen(template) + 1; - UINTN dir_len = strnlena(pxe->Mode->DhcpAck.Dhcpv4.BootpBootFile, 127); - UINTN i; + INTN dir_len = strnlena(pxe->Mode->DhcpAck.Dhcpv4.BootpBootFile, 127); + INTN i; UINT8 *dir = pxe->Mode->DhcpAck.Dhcpv4.BootpBootFile; for (i = dir_len; i >= 0; i--) { @@ -329,6 +329,8 @@ static EFI_STATUS parseDhcp4() if (full_path[dir_len-1] == '/' && template[0] == '/') full_path[dir_len-1] = '\0'; } + if (dir_len == 0 && dir[0] != '/' && template[0] == '/') + template++; strcata(full_path, template); memcpy(&tftp_addr.v4, pxe->Mode->DhcpAck.Dhcpv4.BootpSiAddr, 4); From 28cd5c6b9a797cda2e166b90c29c972613080c1a Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 21 Nov 2013 11:48:24 -0500 Subject: [PATCH 102/163] Fix wrong sizeof(). CHAR16* vs CHAR16**, so the result is the same on all platforms. Detected by coverity. Signed-off-by: Peter Jones --- lib/shell.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/shell.c b/lib/shell.c index 51de4e0..7337834 100644 --- a/lib/shell.c +++ b/lib/shell.c @@ -35,7 +35,7 @@ argsplit(EFI_HANDLE image, int *argc, CHAR16*** ARGV) (*argc)++; /* we counted spaces, so add one for initial */ - *ARGV = AllocatePool(*argc * sizeof(*ARGV)); + *ARGV = AllocatePool(*argc * sizeof(**ARGV)); if (!*ARGV) { return EFI_OUT_OF_RESOURCES; } From 040f08c24960bf9076c07d92c46d5f32a1f186d3 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 21 Nov 2013 11:48:24 -0500 Subject: [PATCH 103/163] Initialize entries before we pass it to another function. Coverity scan noticed that entries is uninitialized when we pass its location to another function. Signed-off-by: Peter Jones --- lib/simple_file.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/simple_file.c b/lib/simple_file.c index 3af0ec8..d345d87 100644 --- a/lib/simple_file.c +++ b/lib/simple_file.c @@ -415,7 +415,7 @@ simple_file_selector(EFI_HANDLE *im, CHAR16 **title, CHAR16 *name, CHAR16 *filter, CHAR16 **result) { EFI_STATUS status; - CHAR16 **entries; + CHAR16 **entries = NULL; EFI_FILE_INFO *dmp; int count, select, len; CHAR16 *newname, *selected; From dd77b3447cb4ee3c80659265f9ea084af8829ae4 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 21 Nov 2013 11:48:24 -0500 Subject: [PATCH 104/163] Rewrite directory traversal allocation path so coverity can grok it. The things we do for our tools. In this case, make the AllocatePool() happen outside of a conditional, even though that conditional will always bee satisfied. This way coverity won't think we're setting fi to NULL and passing it to StrCaseCmp. Signed-off-by: Peter Jones --- fallback.c | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/fallback.c b/fallback.c index c875144..ba864ee 100644 --- a/fallback.c +++ b/fallback.c @@ -445,25 +445,32 @@ find_boot_csv(EFI_FILE_HANDLE fh, CHAR16 *dirname) return EFI_SUCCESS; } FreePool(buffer); + buffer = NULL; bs = 0; do { bs = 0; rc = uefi_call_wrapper(fh->Read, 3, fh, &bs, NULL); - if (rc == EFI_BUFFER_TOO_SMALL) { - buffer = AllocateZeroPool(bs); - if (!buffer) { - Print(L"Could not allocate memory\n"); - return EFI_OUT_OF_RESOURCES; - } - - rc = uefi_call_wrapper(fh->Read, 3, fh, &bs, buffer); + if (EFI_ERROR(rc) && rc != EFI_BUFFER_TOO_SMALL) { + Print(L"Could not read \\EFI\\%s\\: %d\n", dirname, rc); + if (buffer) + FreePool(buffer); + return rc; } + + buffer = AllocateZeroPool(bs); + if (!buffer) { + Print(L"Could not allocate memory\n"); + return EFI_OUT_OF_RESOURCES; + } + + rc = uefi_call_wrapper(fh->Read, 3, fh, &bs, buffer); if (EFI_ERROR(rc)) { Print(L"Could not read \\EFI\\%s\\: %d\n", dirname, rc); FreePool(buffer); return rc; } + if (bs == 0) break; From 17621118315466dc878cf468d8c15ffadcb50482 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 21 Nov 2013 11:48:24 -0500 Subject: [PATCH 105/163] Error check the right thing in get_variable_attr() when allocating. Signed-off-by: Peter Jones --- lib/variables.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/variables.c b/lib/variables.c index 81bd34d..3a9735e 100644 --- a/lib/variables.c +++ b/lib/variables.c @@ -224,7 +224,7 @@ get_variable_attr(CHAR16 *var, UINT8 **data, UINTN *len, EFI_GUID owner, return efi_status; *data = AllocateZeroPool(*len); - if (!data) + if (!*data) return EFI_OUT_OF_RESOURCES; efi_status = uefi_call_wrapper(RT->GetVariable, 5, var, &owner, From 6edc6ec0a3da59e4519dec3f8af6fd48be00b980 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Fri, 31 Jan 2014 10:30:36 -0500 Subject: [PATCH 106/163] [fallback] For HD() device paths, use just the media node and later. UEFI 2.x section 3.1.2 provides for "short-form device path", where the first element specified is a "hard drive media device path", so that you can move a disk around on different buses without invalidating your device path. Fallback has not been using this option, though in most cases efibootmgr has. Note that we still keep the full device path, because LoadImage() isn't necessarily the layer where HD() works - one some systems BDS is responsible for resolving the full path and passes that to LoadImage() instead. So we have to do LoadImage() with the full path. --- fallback.c | 103 ++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 78 insertions(+), 25 deletions(-) diff --git a/fallback.c b/fallback.c index ba864ee..a12bb74 100644 --- a/fallback.c +++ b/fallback.c @@ -14,6 +14,27 @@ EFI_LOADED_IMAGE *this_image = NULL; +static EFI_STATUS +FindSubDevicePath(EFI_DEVICE_PATH *In, UINT8 Type, UINT8 SubType, + EFI_DEVICE_PATH **Out) +{ + EFI_DEVICE_PATH *dp = In; + if (!In || !Out) + return EFI_INVALID_PARAMETER; + + for (dp = In; !IsDevicePathEnd(dp); dp = NextDevicePathNode(dp)) { + if (DevicePathType(dp) == Type && + DevicePathSubType(dp) == SubType) { + *Out = DuplicateDevicePath(dp); + if (!*Out) + return EFI_OUT_OF_RESOURCES; + return EFI_SUCCESS; + } + } + *Out = NULL; + return EFI_NOT_FOUND; +} + static EFI_STATUS get_file_size(EFI_FILE_HANDLE fh, UINTN *retsize) { @@ -93,7 +114,9 @@ make_full_path(CHAR16 *dirname, CHAR16 *filename, CHAR16 **out, UINT64 *outlen) { UINT64 len; - len = StrLen(dirname) + StrLen(filename) + StrLen(L"\\EFI\\\\") + 2; + len = StrLen(L"\\EFI\\") + StrLen(dirname) + + StrLen(L"\\") + StrLen(filename) + + 2; CHAR16 *fullpath = AllocateZeroPool(len*sizeof(CHAR16)); if (!fullpath) { @@ -119,7 +142,8 @@ VOID *first_new_option_args = NULL; UINTN first_new_option_size = 0; EFI_STATUS -add_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label, CHAR16 *arguments) +add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp, + CHAR16 *filename, CHAR16 *label, CHAR16 *arguments) { static int i = 0; CHAR16 varname[] = L"Boot0000"; @@ -136,24 +160,31 @@ add_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label, CHAR16 *ar void *var = LibGetVariable(varname, &global); if (!var) { int size = sizeof(UINT32) + sizeof (UINT16) + - StrLen(label)*2 + 2 + DevicePathSize(dp) + - StrLen(arguments) * 2 + 2; + StrLen(label)*2 + 2 + DevicePathSize(hddp) + + StrLen(arguments) * 2; CHAR8 *data = AllocateZeroPool(size); CHAR8 *cursor = data; *(UINT32 *)cursor = LOAD_OPTION_ACTIVE; cursor += sizeof (UINT32); - *(UINT16 *)cursor = DevicePathSize(dp); + *(UINT16 *)cursor = DevicePathSize(hddp); cursor += sizeof (UINT16); StrCpy((CHAR16 *)cursor, label); cursor += StrLen(label)*2 + 2; - CopyMem(cursor, dp, DevicePathSize(dp)); - cursor += DevicePathSize(dp); + CopyMem(cursor, hddp, DevicePathSize(hddp)); + cursor += DevicePathSize(hddp); StrCpy((CHAR16 *)cursor, arguments); Print(L"Creating boot entry \"%s\" with label \"%s\" " L"for file \"%s\"\n", varname, label, filename); + + if (!first_new_option) { + first_new_option = DuplicateDevicePath(fulldp); + first_new_option_args = arguments; + first_new_option_size = StrLen(arguments) * sizeof (CHAR16); + } + rc = uefi_call_wrapper(RT->SetVariable, 5, varname, &global, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | @@ -254,7 +285,10 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 * if (EFI_ERROR(rc)) return rc; - EFI_DEVICE_PATH *dph = NULL, *dpf = NULL, *dp = NULL; + EFI_DEVICE_PATH *dph = NULL; + EFI_DEVICE_PATH *file = NULL; + EFI_DEVICE_PATH *full_device_path = NULL; + EFI_DEVICE_PATH *dp = NULL; dph = DevicePathFromHandle(this_image->DeviceHandle); if (!dph) { @@ -262,19 +296,31 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 * goto err; } - dpf = FileDevicePath(fh, fullpath); - if (!dpf) { + file = FileDevicePath(fh, fullpath); + if (!file) { rc = EFI_OUT_OF_RESOURCES; goto err; } - dp = AppendDevicePath(dph, dpf); - if (!dp) { + full_device_path = AppendDevicePath(dph, file); + if (!full_device_path) { rc = EFI_OUT_OF_RESOURCES; goto err; } + rc = FindSubDevicePath(full_device_path, + MEDIA_DEVICE_PATH, MEDIA_HARDDRIVE_DP, &dp); + if (EFI_ERROR(rc)) { + if (rc == EFI_NOT_FOUND) { + dp = full_device_path; + } else { + rc = EFI_OUT_OF_RESOURCES; + goto err; + } + } + #ifdef DEBUG_FALLBACK + { UINTN s = DevicePathSize(dp); int i; UINT8 *dpv = (void *)dp; @@ -287,20 +333,16 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 * CHAR16 *dps = DevicePathToStr(dp); Print(L"device path: \"%s\"\n", dps); -#endif - if (!first_new_option) { - CHAR16 *dps = DevicePathToStr(dp); - Print(L"device path: \"%s\"\n", dps); - first_new_option = DuplicateDevicePath(dp); - first_new_option_args = arguments; - first_new_option_size = StrLen(arguments) * sizeof (CHAR16); } +#endif - add_boot_option(dp, fullpath, label, arguments); + add_boot_option(dp, full_device_path, fullpath, label, arguments); err: - if (dpf) - FreePool(dpf); + if (file) + FreePool(file); + if (full_device_path) + FreePool(full_device_path); if (dp) FreePool(dp); if (fullpath) @@ -629,8 +671,19 @@ try_start_first_option(EFI_HANDLE parent_image_handle) first_new_option, NULL, 0, &image_handle); if (EFI_ERROR(rc)) { - Print(L"LoadImage failed: %d\n", rc); - uefi_call_wrapper(BS->Stall, 1, 2000000); + CHAR16 *dps = DevicePathToStr(first_new_option); + UINTN s = DevicePathSize(first_new_option); + int i; + UINT8 *dpv = (void *)first_new_option; + Print(L"LoadImage failed: %d\nDevice path: \"%s\"\n", rc, dps); + for (i = 0; i < s; i++) { + if (i > 0 && i % 16 == 0) + Print(L"\n"); + Print(L"%02x ", dpv[i]); + } + Print(L"\n"); + + uefi_call_wrapper(BS->Stall, 1, 500000000); return rc; } @@ -644,7 +697,7 @@ try_start_first_option(EFI_HANDLE parent_image_handle) rc = uefi_call_wrapper(BS->StartImage, 3, image_handle, NULL, NULL); if (EFI_ERROR(rc)) { Print(L"StartImage failed: %d\n", rc); - uefi_call_wrapper(BS->Stall, 1, 2000000); + uefi_call_wrapper(BS->Stall, 1, 500000000); } return rc; } From 9fcd221ef143df5a52671a6f23240eb246ccf448 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Fri, 31 Jan 2014 10:31:10 -0500 Subject: [PATCH 107/163] [fallback] Attempt to re-use existing entries when possible. Some firmwares seem to ignore our boot entries and put their fallback entries back on top. Right now that results in a lot of boot entries for our stuff, a la https://bugzilla.redhat.com/show_bug.cgi?id=995834 . Instead of that happening, if we simply find existing entries that match the entry we would create and move them to the top of the boot order, the machine will continue to operate in failure mode (which we can't avoid), but at least we won't create thousands of extra entries. Signed-off-by: Peter Jones --- fallback.c | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 98 insertions(+), 1 deletion(-) diff --git a/fallback.c b/fallback.c index a12bb74..44638ec 100644 --- a/fallback.c +++ b/fallback.c @@ -225,6 +225,85 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp, return EFI_OUT_OF_RESOURCES; } +EFI_STATUS +find_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label, + CHAR16 *arguments, UINT16 *optnum) +{ + int size = sizeof(UINT32) + sizeof (UINT16) + + StrLen(label)*2 + 2 + DevicePathSize(dp) + + StrLen(arguments) * 2 + 2; + + CHAR8 *data = AllocateZeroPool(size); + if (!data) + return EFI_OUT_OF_RESOURCES; + CHAR8 *cursor = data; + *(UINT32 *)cursor = LOAD_OPTION_ACTIVE; + cursor += sizeof (UINT32); + *(UINT16 *)cursor = DevicePathSize(dp); + cursor += sizeof (UINT16); + StrCpy((CHAR16 *)cursor, label); + cursor += StrLen(label)*2 + 2; + CopyMem(cursor, dp, DevicePathSize(dp)); + cursor += DevicePathSize(dp); + StrCpy((CHAR16 *)cursor, arguments); + + int i = 0; + CHAR16 varname[] = L"Boot0000"; + CHAR16 hexmap[] = L"0123456789ABCDEF"; + EFI_GUID global = EFI_GLOBAL_VARIABLE; + EFI_STATUS rc; + + CHAR8 *candidate = AllocateZeroPool(size); + if (!candidate) { + FreePool(data); + return EFI_OUT_OF_RESOURCES; + } + + for(i = 0; i < nbootorder && i < 0x10000; i++) { + varname[4] = hexmap[(bootorder[i] & 0xf000) >> 12]; + varname[5] = hexmap[(bootorder[i] & 0x0f00) >> 8]; + varname[6] = hexmap[(bootorder[i] & 0x00f0) >> 4]; + varname[7] = hexmap[(bootorder[i] & 0x000f) >> 0]; + + UINTN candidate_size = size; + rc = uefi_call_wrapper(RT->GetVariable, 5, varname, &global, + NULL, &candidate_size, candidate); + if (EFI_ERROR(rc)) + continue; + + if (candidate_size != size) + continue; + + if (CompareMem(candidate, data, size)) + continue; + + /* at this point, we have duplicate data. */ + *optnum = i; + FreePool(candidate); + FreePool(data); + return EFI_SUCCESS; + } + FreePool(candidate); + FreePool(data); + return EFI_NOT_FOUND; +} + +EFI_STATUS +set_boot_order(void) +{ + CHAR16 *oldbootorder; + UINTN size; + EFI_GUID global = EFI_GLOBAL_VARIABLE; + + oldbootorder = LibGetVariableAndSize(L"BootOrder", &global, &size); + if (oldbootorder) { + nbootorder = size / sizeof (CHAR16); + bootorder = oldbootorder; + } + return EFI_SUCCESS; + +} + EFI_STATUS update_boot_order(void) { @@ -336,7 +415,23 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 * } #endif - add_boot_option(dp, full_device_path, fullpath, label, arguments); + UINT16 option; + rc = find_boot_option(dp, fullpath, label, arguments, &option); + if (EFI_ERROR(rc)) { + add_boot_option(dp, full_device_path, fullpath, label, arguments); + } else if (option != 0) { + CHAR16 *newbootorder; + newbootorder = AllocateZeroPool(sizeof (CHAR16) * nbootorder); + if (!newbootorder) + return EFI_OUT_OF_RESOURCES; + + newbootorder[0] = bootorder[option]; + CopyMem(newbootorder + 1, bootorder, sizeof (CHAR16) * option); + CopyMem(newbootorder + option + 1, bootorder + option + 1, + sizeof (CHAR16) * (nbootorder - option - 1)); + FreePool(bootorder); + bootorder = newbootorder; + } err: if (file) @@ -717,6 +812,8 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab) Print(L"System BootOrder not found. Initializing defaults.\n"); + set_boot_order(); + rc = find_boot_options(this_image->DeviceHandle); if (EFI_ERROR(rc)) { Print(L"Error: could not find boot options: %d\n", rc); From a4c3653d59fbcbe397d3f9dd868e2071493973aa Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Fri, 14 Feb 2014 14:08:30 -0500 Subject: [PATCH 108/163] Add a preliminary test plan. Because you know you wanted a test plan. You feel it deeply inside. Note that none of the /negative/ cases are tested yet. Signed-off-by: Peter Jones --- testplan.txt | 80 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 testplan.txt diff --git a/testplan.txt b/testplan.txt new file mode 100644 index 0000000..118dfcd --- /dev/null +++ b/testplan.txt @@ -0,0 +1,80 @@ +How to test a new shim build for RHEL/fedora: + +1) build pesign-test-app, and sign it with the appropriate key +2) build shim with the appropriate key built in +3) install pesign-test-app and shim-unsigned on the test machine +4) make a lockdown.efi for "Red Hat Test Certificate" and put it in \EFI\test + mkdir /boot/efi/EFI/test/ + wget http://pjones.fedorapeople.org/shim/LockDown-rhtest.efi + mv LockDown-rhtest.efi /boot/efi/EFI/test/lockdown.efi +5) sign shim with RHTC and put it in \EFI\test: + pesign -i /usr/share/shim/shim.efi -o /boot/efi/EFI/test/shim.efi \ + -s -c "Red Hat Test Certificate" +6) put pesign-test-app-signed.efi in \EFI\test as grubx64.efi + cp /usr/share/pesign-test-app-0.4/pesign-test-app-signed.efi \ + /boot/efi/EFI/test/test.efi +7) sign a copy of grubx64.efi with RHTC and iput it in \EFI\test\: + pesign -i /boot/efi/EFI/redhat/grubx64.efi -o grubx64-unsigned.efi \ + -r -u 0 + pesign -i grubx64-unsigned.efi -o /boot/efi/EFI/test/grub.efi \ + -s -c "Red Hat Test Certificate" +8) sign a copy of mokmanager with RHTC and put it in \EFI\test: + pesign -i /usr/share/shim/MokManager.efi \ + -o /boot/efi/EFI/test/MokManager.efi -s \ + -c "Red Hat Test Certificate" +9) copy grub.cfg to our test directory: + cp /boot/efi/EFI/redhat/grub.cfg /boot/efi/EFI/test/grub.cfg +10) *move* \EFI\redhat\BOOT.CSV to \EFI\test + mv /boot/efi/EFI/redhat/BOOT.CSV /boot/efi/EFI/test/BOOT.CSV +11) sign a copy of fallback.efi and put it in \EFI\BOOT\fallback.efi + rm -rf /boot/efi/EFI/BOOT/ + mkdir /boot/efi/EFI/BOOT/ + pesign -i /usr/share/shim/fallback.efi \ + -o /boot/efi/EFI/BOOT/fallback.efi \ + -s -c "Red Hat Test Certificate" +12) put shim.efi there as well + cp /boot/efi/EFI/test/shim.efi /boot/efi/EFI/BOOT/BOOTX64.EFI +13) enroll the current kernel's certificate with mokutil: + mokutil --import ~/redhatsecurebootca2.cer +14) put machine in setup mode +15) boot to the UEFI shell +16) run lockdown.efi from #4: + fs0:\EFI\test\lockdown.efi +17) enable secure boot verification +18) verify it can't run other binaries: + fs0:\EFI\redhat\grubx64.efi + result should be an error, probably similar to: + "fs0:\...\grubx64.efi is not recognized as an internal or external command" +19) copy test.efi to grubx64.efi: + cp \EFI\test\test.efi \EFI\test\grubx64.efi +20) in the EFI shell, run fs0:\EFI\test\shim.efi +21) you should see MokManager. Enroll the certificate you added in #13, and + the system will reboot. +22) reboot to the UEFI shell and run fs0:\EFI\test\shim.efi + result: "This is a test application that should be completely safe." + If you get the expected result, shim can run things signed by its internal + key ring. Check a box someplace that says it can do that. +23) from the EFI shell, copy grub to grubx64.efi: + cp \EFI\test\grubx.efi \EFI\test\grubx64.efi +24) in the EFI shell, run fs0:\EFI\test\shim.efi + result: this should start grub, which will let you boot a kernel + If grub starts, it means shim can run things signed by a key in the system's + db. Check a box someplace that says it can do that. + If the kernel boots, it means shim can run things from Mok. Check a box + someplace that says it can do that. +25) remove all boot entries and the BootOrder variable: + [root@uefi ~]# cd /sys/firmware/efi/efivars/ + [root@uefi efivars]# rm -vf Boot[0123456789]* BootOrder-* + removed ‘Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c’ + removed ‘Boot0001-8be4df61-93ca-11d2-aa0d-00e098032b8c’ + removed ‘Boot0002-8be4df61-93ca-11d2-aa0d-00e098032b8c’ + removed ‘Boot2001-8be4df61-93ca-11d2-aa0d-00e098032b8c’ + removed ‘BootOrder-8be4df61-93ca-11d2-aa0d-00e098032b8c’ + [root@uefi efivars]# +27) reboot +28) the system should run \EFI\BOOT\BOOTX64.EFI . If it doesn't, you may just + have an old machine. In that case, go to the EFI shell and run: + fs0:\EFI\BOOT\BOOTX64.EFI + If this works, you should see a bit of output very quickly and then the same + thing as #24. This means shim recognized it was in \EFI\BOOT and ran + fallback.efi, which worked. From a5d135bd2dd128dd68cc5476c53c83eda378fb45 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Fri, 14 Feb 2014 17:48:01 -0500 Subject: [PATCH 109/163] Add a failure case to the test plan and fix an ordering error. Signed-off-by: Peter Jones --- testplan.txt | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/testplan.txt b/testplan.txt index 118dfcd..2fbf238 100644 --- a/testplan.txt +++ b/testplan.txt @@ -12,23 +12,26 @@ How to test a new shim build for RHEL/fedora: -s -c "Red Hat Test Certificate" 6) put pesign-test-app-signed.efi in \EFI\test as grubx64.efi cp /usr/share/pesign-test-app-0.4/pesign-test-app-signed.efi \ - /boot/efi/EFI/test/test.efi -7) sign a copy of grubx64.efi with RHTC and iput it in \EFI\test\: - pesign -i /boot/efi/EFI/redhat/grubx64.efi -o grubx64-unsigned.efi \ - -r -u 0 - pesign -i grubx64-unsigned.efi -o /boot/efi/EFI/test/grub.efi \ - -s -c "Red Hat Test Certificate" + /boot/efi/EFI/test/test.efi +7) sign a copy of grubx64.efi with RHTC and iput it in \EFI\test\ . Also + leave an unsigned copy there: + pesign -i /boot/efi/EFI/redhat/grubx64.efi \ + -o /boot/efi/EFI/test/grubx64-unsigned.efi \ + -r -u 0 + pesign -i /boot/efi/EFI/test/grubx64-unsigned.efi \ + -o /boot/efi/EFI/test/grub.efi \ + -s -c "Red Hat Test Certificate" 8) sign a copy of mokmanager with RHTC and put it in \EFI\test: pesign -i /usr/share/shim/MokManager.efi \ - -o /boot/efi/EFI/test/MokManager.efi -s \ + -o /boot/efi/EFI/test/MokManager.efi -s \ -c "Red Hat Test Certificate" 9) copy grub.cfg to our test directory: cp /boot/efi/EFI/redhat/grub.cfg /boot/efi/EFI/test/grub.cfg 10) *move* \EFI\redhat\BOOT.CSV to \EFI\test - mv /boot/efi/EFI/redhat/BOOT.CSV /boot/efi/EFI/test/BOOT.CSV -11) sign a copy of fallback.efi and put it in \EFI\BOOT\fallback.efi rm -rf /boot/efi/EFI/BOOT/ mkdir /boot/efi/EFI/BOOT/ + mv /boot/efi/EFI/redhat/BOOT.CSV /boot/efi/EFI/test/BOOT.CSV +11) sign a copy of fallback.efi and put it in \EFI\BOOT\fallback.efi pesign -i /usr/share/shim/fallback.efi \ -o /boot/efi/EFI/BOOT/fallback.efi \ -s -c "Red Hat Test Certificate" @@ -55,7 +58,7 @@ How to test a new shim build for RHEL/fedora: If you get the expected result, shim can run things signed by its internal key ring. Check a box someplace that says it can do that. 23) from the EFI shell, copy grub to grubx64.efi: - cp \EFI\test\grubx.efi \EFI\test\grubx64.efi + cp \EFI\test\grub.efi \EFI\test\grubx64.efi 24) in the EFI shell, run fs0:\EFI\test\shim.efi result: this should start grub, which will let you boot a kernel If grub starts, it means shim can run things signed by a key in the system's @@ -78,3 +81,7 @@ How to test a new shim build for RHEL/fedora: If this works, you should see a bit of output very quickly and then the same thing as #24. This means shim recognized it was in \EFI\BOOT and ran fallback.efi, which worked. +29) copy the unsigned grub into place and reboot: + cp /boot/efi/EFI/test/grubx64-unsigned.efi /boot/efi/EFI/test/grubx64.efi +30) reboot again. + result: shim should refuse to load grub. From cf90edfff585cfb6d51f0b4992c7f4fc9195c4c2 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Fri, 14 Feb 2014 17:48:01 -0500 Subject: [PATCH 110/163] Allow fallback to use the system's LoadImage/StartImage . Track use of the system's LoadImage(), and when the next StartImage() call is for an image the system verified, allow that to count as participating, since it has been verified by the system's db. Signed-off-by: Peter Jones --- replacements.c | 68 +++++++++++++++++++++++++++++++++++++++- replacements.h | 3 ++ shim.c | 85 ++++++++++++++++++++++++++++++-------------------- 3 files changed, 121 insertions(+), 35 deletions(-) diff --git a/replacements.c b/replacements.c index 5ea5c32..48dc437 100644 --- a/replacements.c +++ b/replacements.c @@ -60,26 +60,82 @@ static EFI_SYSTEM_TABLE *systab; +static typeof(systab->BootServices->LoadImage) system_load_image; static typeof(systab->BootServices->StartImage) system_start_image; static typeof(systab->BootServices->Exit) system_exit; static typeof(systab->BootServices->ExitBootServices) system_exit_boot_services; +static EFI_HANDLE last_loaded_image; + void unhook_system_services(void) { systab->BootServices->Exit = system_exit; + systab->BootServices->LoadImage = system_load_image; systab->BootServices->StartImage = system_start_image; systab->BootServices->ExitBootServices = system_exit_boot_services; } +static EFI_STATUS EFIAPI +load_image(BOOLEAN BootPolicy, EFI_HANDLE ParentImageHandle, + EFI_DEVICE_PATH *DevicePath, VOID *SourceBuffer, + UINTN SourceSize, EFI_HANDLE *ImageHandle) +{ + EFI_STATUS status; + unhook_system_services(); + + status = systab->BootServices->LoadImage(BootPolicy, + ParentImageHandle, DevicePath, + SourceBuffer, SourceSize, ImageHandle); + hook_system_services(systab); + if (EFI_ERROR(status)) + last_loaded_image = NULL; + else + last_loaded_image = *ImageHandle; + return status; +} + static EFI_STATUS EFIAPI start_image(EFI_HANDLE image_handle, UINTN *exit_data_size, CHAR16 **exit_data) { EFI_STATUS status; unhook_system_services(); + + /* We have to uninstall shim's protocol here, because if we're + * On the fallback.efi path, then our call pathway is: + * + * shim->fallback->shim->grub + * ^ ^ ^ + * | | \- gets protocol #0 + * | \- installs its protocol (#1) + * \- installs its protocol (#0) + * and if we haven't removed this, then grub will get the *first* + * shim's protocol, but it'll get the second shim's systab + * replacements. So even though it will participate and verify + * the kernel, the systab never finds out. + */ + if (image_handle == last_loaded_image) { + loader_is_participating = 1; + uninstall_shim_protocols(); + } status = systab->BootServices->StartImage(image_handle, exit_data_size, exit_data); - if (EFI_ERROR(status)) + if (EFI_ERROR(status)) { + if (image_handle == last_loaded_image) { + EFI_STATUS status2 = install_shim_protocols(); + + if (EFI_ERROR(status2)) { + Print(L"Something has gone seriously wrong: %d\n", + status2); + Print(L"shim cannot continue, sorry.\n"); + systab->BootServices->Stall(5000000); + systab->RuntimeServices->ResetSystem( + EfiResetShutdown, + EFI_SECURITY_VIOLATION, 0, NULL); + } + } hook_system_services(systab); + loader_is_participating = 0; + } return status; } @@ -123,6 +179,16 @@ hook_system_services(EFI_SYSTEM_TABLE *local_systab) /* We need to hook various calls to make this work... */ + /* We need LoadImage() hooked so that fallback.c can load shim + * without having to fake LoadImage as well. This allows it + * to call the system LoadImage(), and have us track the output + * and mark loader_is_participating in start_image. This means + * anything added by fallback has to be verified by the system db, + * which we want to preserve anyway, since that's all launching + * through BDS gives us. */ + system_load_image = systab->BootServices->LoadImage; + systab->BootServices->LoadImage = load_image; + /* we need StartImage() so that we can allow chain booting to an * image trusted by the firmware */ system_start_image = systab->BootServices->StartImage; diff --git a/replacements.h b/replacements.h index 5b57bc2..bd09424 100644 --- a/replacements.h +++ b/replacements.h @@ -41,4 +41,7 @@ extern int loader_is_participating; extern void hook_system_services(EFI_SYSTEM_TABLE *local_systab); extern void unhook_system_services(void); +extern EFI_STATUS install_shim_protocols(void); +extern void uninstall_shim_protocols(void); + #endif /* SHIM_REPLACEMENTS_H */ diff --git a/shim.c b/shim.c index cf93d65..0e18d38 100644 --- a/shim.c +++ b/shim.c @@ -1707,11 +1707,56 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) return EFI_SUCCESS; } -EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) +static SHIM_LOCK shim_lock_interface; +static EFI_HANDLE shim_lock_handle; + +EFI_STATUS +install_shim_protocols(void) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; - static SHIM_LOCK shim_lock_interface; - EFI_HANDLE handle = NULL; + EFI_STATUS efi_status; + /* + * Install the protocol + */ + efi_status = uefi_call_wrapper(BS->InstallProtocolInterface, 4, + &shim_lock_handle, &shim_lock_guid, + EFI_NATIVE_INTERFACE, &shim_lock_interface); + if (EFI_ERROR(efi_status)) { + console_error(L"Could not install security protocol", + efi_status); + return efi_status; + } + +#if defined(OVERRIDE_SECURITY_POLICY) + /* + * Install the security protocol hook + */ + security_policy_install(shim_verify); +#endif + + return EFI_SUCCESS; +} + +void +uninstall_shim_protocols(void) +{ + EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; +#if defined(OVERRIDE_SECURITY_POLICY) + /* + * Clean up the security protocol hook + */ + security_policy_uninstall(); +#endif + + /* + * If we're back here then clean everything up before exiting + */ + uefi_call_wrapper(BS->UninstallProtocolInterface, 3, shim_lock_handle, + &shim_lock_guid, &shim_lock_interface); +} + +EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) +{ EFI_STATUS efi_status; verification_method = VERIFIED_BY_NOTHING; @@ -1768,24 +1813,9 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) } } - /* - * Install the protocol - */ - efi_status = uefi_call_wrapper(BS->InstallProtocolInterface, 4, - &handle, &shim_lock_guid, EFI_NATIVE_INTERFACE, - &shim_lock_interface); - if (EFI_ERROR(efi_status)) { - console_error(L"Could not install security protocol", - efi_status); + efi_status = install_shim_protocols(); + if (EFI_ERROR(efi_status)) return efi_status; - } - -#if defined(OVERRIDE_SECURITY_POLICY) - /* - * Install the security protocol hook - */ - security_policy_install(shim_verify); -#endif /* * Enter MokManager if necessary @@ -1810,20 +1840,7 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) efi_status = init_grub(image_handle); -#if defined(OVERRIDE_SECURITY_POLICY) - /* - * Clean up the security protocol hook - */ - security_policy_uninstall(); -#endif - - /* - * If we're back here then clean everything up before exiting - */ - uefi_call_wrapper(BS->UninstallProtocolInterface, 3, handle, - &shim_lock_guid, &shim_lock_interface); - - + uninstall_shim_protocols(); /* * Remove our hooks from system services. */ From 47a9d2c908078ff79c4a4043855ec499241c8977 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Fri, 11 Apr 2014 14:41:22 -0400 Subject: [PATCH 111/163] additional bounds-checking on section sizes This adds additional bounds-checking on the section sizes. Also adds -Wsign-compare to the Makefile and replaces some signed variables with unsigned counteparts for robustness. Signed-off-by: Kees Cook --- Makefile | 3 +- MokManager.c | 6 ++-- PasswordCrypt.c | 4 +-- fallback.c | 4 +-- shim.c | 81 ++++++++++++++++++++++++++++++++++--------------- 5 files changed, 65 insertions(+), 33 deletions(-) diff --git a/Makefile b/Makefile index e65d28d..46e5ef9 100644 --- a/Makefile +++ b/Makefile @@ -16,7 +16,8 @@ EFI_LDS = elf_$(ARCH)_efi.lds DEFAULT_LOADER := \\\\grub.efi CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ - -fshort-wchar -Wall -Werror -mno-red-zone -maccumulate-outgoing-args \ + -fshort-wchar -Wall -Wsign-compare -Werror \ + -mno-red-zone -maccumulate-outgoing-args \ -mno-mmx -mno-sse -fno-builtin \ "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \ diff --git a/MokManager.c b/MokManager.c index f5ed379..3da61f4 100644 --- a/MokManager.c +++ b/MokManager.c @@ -440,7 +440,7 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title) MokListNode *keys = NULL; INTN key_num = 0; CHAR16 **menu_strings; - int i; + unsigned int i; if (KeyListSize < (sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA))) { @@ -491,7 +491,7 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title) static UINT8 get_line (UINT32 *length, CHAR16 *line, UINT32 line_max, UINT8 show) { EFI_INPUT_KEY key; - int count = 0; + unsigned int count = 0; do { key = console_get_keystroke(); @@ -640,7 +640,7 @@ static EFI_STATUS match_password (PASSWORD_CRYPT *pw_crypt, CHAR16 password[PASSWORD_MAX]; UINT32 pw_length; UINT8 fail_count = 0; - int i; + unsigned int i; if (pw_crypt) { auth_hash = pw_crypt->hash; diff --git a/PasswordCrypt.c b/PasswordCrypt.c index 8d72a82..e0a82cf 100644 --- a/PasswordCrypt.c +++ b/PasswordCrypt.c @@ -154,7 +154,7 @@ static EFI_STATUS sha256_crypt (const char *key, UINT32 key_len, CopyMem(cp, tmp_result, cnt); SHA256_Init(&alt_ctx); - for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt) + for (cnt = 0; cnt < 16ul + alt_result[0]; ++cnt) SHA256_Update(&alt_ctx, salt, salt_size); SHA256_Final(tmp_result, &alt_ctx); @@ -242,7 +242,7 @@ static EFI_STATUS sha512_crypt (const char *key, UINT32 key_len, CopyMem(cp, tmp_result, cnt); SHA512_Init(&alt_ctx); - for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt) + for (cnt = 0; cnt < 16ul + alt_result[0]; ++cnt) SHA512_Update(&alt_ctx, salt, salt_size); SHA512_Final(tmp_result, &alt_ctx); diff --git a/fallback.c b/fallback.c index 44638ec..bc9a3c9 100644 --- a/fallback.c +++ b/fallback.c @@ -229,7 +229,7 @@ EFI_STATUS find_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label, CHAR16 *arguments, UINT16 *optnum) { - int size = sizeof(UINT32) + sizeof (UINT16) + + unsigned int size = sizeof(UINT32) + sizeof (UINT16) + StrLen(label)*2 + 2 + DevicePathSize(dp) + StrLen(arguments) * 2 + 2; @@ -768,7 +768,7 @@ try_start_first_option(EFI_HANDLE parent_image_handle) if (EFI_ERROR(rc)) { CHAR16 *dps = DevicePathToStr(first_new_option); UINTN s = DevicePathSize(first_new_option); - int i; + unsigned int i; UINT8 *dpv = (void *)first_new_option; Print(L"LoadImage failed: %d\nDevice path: \"%s\"\n", rc, dps); for (i = 0; i < s; i++) { diff --git a/shim.c b/shim.c index 0e18d38..8c583a4 100644 --- a/shim.c +++ b/shim.c @@ -102,7 +102,7 @@ typedef struct { /* * Perform basic bounds checking of the intra-image pointers */ -static void *ImageAddress (void *image, int size, unsigned int address) +static void *ImageAddress (void *image, unsigned int size, unsigned int address) { if (address > size) return NULL; @@ -494,18 +494,19 @@ static BOOLEAN secure_mode (void) * Calculate the SHA1 and SHA256 hashes of a binary */ -static EFI_STATUS generate_hash (char *data, int datasize, +static EFI_STATUS generate_hash (char *data, int datasize_in, PE_COFF_LOADER_IMAGE_CONTEXT *context, UINT8 *sha256hash, UINT8 *sha1hash) { unsigned int sha256ctxsize, sha1ctxsize; - unsigned int size = datasize; + unsigned int size = datasize_in; void *sha256ctx = NULL, *sha1ctx = NULL; char *hashbase; unsigned int hashsize; unsigned int SumOfBytesHashed, SumOfSectionBytes; unsigned int index, pos; + unsigned int datasize; EFI_IMAGE_SECTION_HEADER *Section; EFI_IMAGE_SECTION_HEADER *SectionHeader = NULL; EFI_IMAGE_SECTION_HEADER *SectionCache; @@ -517,6 +518,12 @@ static EFI_STATUS generate_hash (char *data, int datasize, sha1ctxsize = Sha1GetContextSize(); sha1ctx = AllocatePool(sha1ctxsize); + if (datasize_in < 0) { + Print(L"Invalid data size\n"); + return EFI_INVALID_PARAMETER; + } + size = datasize = (unsigned int)datasize_in; + if (!sha256ctx || !sha1ctx) { Print(L"Unable to allocate memory for hash context\n"); return EFI_OUT_OF_RESOURCES; @@ -577,22 +584,29 @@ static EFI_STATUS generate_hash (char *data, int datasize, SumOfBytesHashed = context->PEHdr->Pe32.OptionalHeader.SizeOfHeaders; #endif - Section = (EFI_IMAGE_SECTION_HEADER *) ( - (char *)context->PEHdr + sizeof (UINT32) + - sizeof (EFI_IMAGE_FILE_HEADER) + - context->PEHdr->Pe32.FileHeader.SizeOfOptionalHeader - ); - - SectionCache = Section; - + /* Validate section locations and sizes */ for (index = 0, SumOfSectionBytes = 0; index < context->PEHdr->Pe32.FileHeader.NumberOfSections; index++, SectionCache++) { - SumOfSectionBytes += SectionCache->SizeOfRawData; - } + EFI_IMAGE_SECTION_HEADER *SectionPtr; - if (SumOfSectionBytes >= datasize) { - Print(L"Malformed binary: %x %x\n", SumOfSectionBytes, size); - status = EFI_INVALID_PARAMETER; - goto done; + /* Validate SectionPtr is within image */ + SectionPtr = ImageAddress(data, datasize, + sizeof (UINT32) + + sizeof (EFI_IMAGE_FILE_HEADER) + + context->PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + + (index * sizeof(*SectionPtr))); + if (!SectionPtr) { + Print(L"Malformed section %d\n", index); + status = EFI_INVALID_PARAMETER; + goto done; + } + /* Validate section size is within image. */ + if (SectionPtr->SizeOfRawData > + datasize - SumOfBytesHashed - SumOfSectionBytes) { + Print(L"Malformed section %d size\n", index); + status = EFI_INVALID_PARAMETER; + goto done; + } + SumOfSectionBytes += SectionPtr->SizeOfRawData; } SectionHeader = (EFI_IMAGE_SECTION_HEADER *) AllocateZeroPool (sizeof (EFI_IMAGE_SECTION_HEADER) * context->PEHdr->Pe32.FileHeader.NumberOfSections); @@ -602,6 +616,11 @@ static EFI_STATUS generate_hash (char *data, int datasize, goto done; } + /* Already validated above */ + Section = ImageAddress(data, datasize, sizeof (UINT32) + + sizeof (EFI_IMAGE_FILE_HEADER) + + context->PEHdr->Pe32.FileHeader.SizeOfOptionalHeader); + /* Sort the section headers */ for (index = 0; index < context->PEHdr->Pe32.FileHeader.NumberOfSections; index++) { pos = index; @@ -620,7 +639,6 @@ static EFI_STATUS generate_hash (char *data, int datasize, continue; } hashbase = ImageAddress(data, size, Section->PointerToRawData); - hashsize = (unsigned int) Section->SizeOfRawData; if (!hashbase) { Print(L"Malformed section header\n"); @@ -628,6 +646,15 @@ static EFI_STATUS generate_hash (char *data, int datasize, goto done; } + /* Verify hashsize within image. */ + if (Section->SizeOfRawData > + datasize - Section->PointerToRawData) { + Print(L"Malformed section raw size %d\n", index); + status = EFI_INVALID_PARAMETER; + goto done; + } + hashsize = (unsigned int) Section->SizeOfRawData; + if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || !(Sha1Update(sha1ctx, hashbase, hashsize))) { Print(L"Unable to generate hash\n"); @@ -638,10 +665,10 @@ static EFI_STATUS generate_hash (char *data, int datasize, } /* Hash all remaining data */ - if (size > SumOfBytesHashed) { + if (datasize > SumOfBytesHashed) { hashbase = data + SumOfBytesHashed; hashsize = (unsigned int)( - size - + datasize - #if __LP64__ context->PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY].Size - #else @@ -884,7 +911,8 @@ static EFI_STATUS read_header(void *data, unsigned int datasize, return EFI_UNSUPPORTED; } - if (((UINT8 *)context->SecDir - (UINT8 *)data) > (datasize - sizeof(EFI_IMAGE_DATA_DIRECTORY))) { + if ((unsigned long)((UINT8 *)context->SecDir - (UINT8 *)data) > + (datasize - sizeof(EFI_IMAGE_DATA_DIRECTORY))) { Print(L"Invalid image\n"); return EFI_UNSUPPORTED; } @@ -904,7 +932,8 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, { EFI_STATUS efi_status; char *buffer; - int i, size; + int i; + unsigned int size; EFI_IMAGE_SECTION_HEADER *Section; char *base, *end; PE_COFF_LOADER_IMAGE_CONTEXT context; @@ -1081,7 +1110,8 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath, { EFI_DEVICE_PATH *devpath; EFI_HANDLE device; - int i, j, last = -1; + unsigned int i; + int j, last = -1; unsigned int pathlen = 0; EFI_STATUS efi_status = EFI_SUCCESS; CHAR16 *bootpath; @@ -1637,9 +1667,10 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) EFI_STATUS status; EFI_LOADED_IMAGE *li; CHAR16 *start = NULL, *c; - int i, remaining_size = 0; + unsigned int i; + int remaining_size = 0; CHAR16 *loader_str = NULL; - int loader_len = 0; + unsigned int loader_len = 0; second_stage = DEFAULT_LOADER; load_options = NULL; From 16a83563508e28d3ebc5a53c12f0c735d08ae728 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Fri, 11 Apr 2014 15:05:24 -0400 Subject: [PATCH 112/163] Kees' patch missed the offset adjustment to PEHdr. In read_header, we adjust context->PEHdr's address by doshdr->e_lfanew. If we're going to recompute that address, we have to adjust it here too. Signed-off-by: Peter Jones --- shim.c | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/shim.c b/shim.c index 8c583a4..d06bd02 100644 --- a/shim.c +++ b/shim.c @@ -511,12 +511,8 @@ static EFI_STATUS generate_hash (char *data, int datasize_in, EFI_IMAGE_SECTION_HEADER *SectionHeader = NULL; EFI_IMAGE_SECTION_HEADER *SectionCache; EFI_STATUS status = EFI_SUCCESS; - - sha256ctxsize = Sha256GetContextSize(); - sha256ctx = AllocatePool(sha256ctxsize); - - sha1ctxsize = Sha1GetContextSize(); - sha1ctx = AllocatePool(sha1ctxsize); + EFI_IMAGE_DOS_HEADER *DosHdr = (void *)data; + unsigned int PEHdr_offset = 0; if (datasize_in < 0) { Print(L"Invalid data size\n"); @@ -524,6 +520,19 @@ static EFI_STATUS generate_hash (char *data, int datasize_in, } size = datasize = (unsigned int)datasize_in; + if (datasize <= sizeof (*DosHdr) || + DosHdr->e_magic != EFI_IMAGE_DOS_SIGNATURE) { + Print(L"Invalid signature\n"); + return EFI_INVALID_PARAMETER; + } + PEHdr_offset = DosHdr->e_lfanew; + + sha256ctxsize = Sha256GetContextSize(); + sha256ctx = AllocatePool(sha256ctxsize); + + sha1ctxsize = Sha1GetContextSize(); + sha1ctx = AllocatePool(sha1ctxsize); + if (!sha256ctx || !sha1ctx) { Print(L"Unable to allocate memory for hash context\n"); return EFI_OUT_OF_RESOURCES; @@ -590,6 +599,7 @@ static EFI_STATUS generate_hash (char *data, int datasize_in, /* Validate SectionPtr is within image */ SectionPtr = ImageAddress(data, datasize, + PEHdr_offset + sizeof (UINT32) + sizeof (EFI_IMAGE_FILE_HEADER) + context->PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + @@ -617,7 +627,9 @@ static EFI_STATUS generate_hash (char *data, int datasize_in, } /* Already validated above */ - Section = ImageAddress(data, datasize, sizeof (UINT32) + + Section = ImageAddress(data, datasize, + PEHdr_offset + + sizeof (UINT32) + sizeof (EFI_IMAGE_FILE_HEADER) + context->PEHdr->Pe32.FileHeader.SizeOfOptionalHeader); From a63d665fb8407997ae057803877ed8149f80a25e Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Fri, 11 Apr 2014 15:07:45 -0400 Subject: [PATCH 113/163] Get rid of SectionCache in generate_hash(), it is unused. Signed-off-by: Peter Jones --- shim.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/shim.c b/shim.c index d06bd02..48a6f2f 100644 --- a/shim.c +++ b/shim.c @@ -509,7 +509,6 @@ static EFI_STATUS generate_hash (char *data, int datasize_in, unsigned int datasize; EFI_IMAGE_SECTION_HEADER *Section; EFI_IMAGE_SECTION_HEADER *SectionHeader = NULL; - EFI_IMAGE_SECTION_HEADER *SectionCache; EFI_STATUS status = EFI_SUCCESS; EFI_IMAGE_DOS_HEADER *DosHdr = (void *)data; unsigned int PEHdr_offset = 0; @@ -594,7 +593,7 @@ static EFI_STATUS generate_hash (char *data, int datasize_in, #endif /* Validate section locations and sizes */ - for (index = 0, SumOfSectionBytes = 0; index < context->PEHdr->Pe32.FileHeader.NumberOfSections; index++, SectionCache++) { + for (index = 0, SumOfSectionBytes = 0; index < context->PEHdr->Pe32.FileHeader.NumberOfSections; index++) { EFI_IMAGE_SECTION_HEADER *SectionPtr; /* Validate SectionPtr is within image */ From ec7eddbf05abd6b721b1f1f0fa6c1816d35ddc09 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Tue, 13 May 2014 13:23:41 -0400 Subject: [PATCH 114/163] [fallback] Avoid duplicate old BootOrder set_boot_order() already copies the old BootOrder to the variable, bootorder. Besides, we can adjust BootOrder when adding the newly generated boot option. So, we don't have to copy the old one again in update_boot_order(). This avoid the duplicate entries in BootOrder. Signed-off-by: Gary Ching-Pang Lin --- fallback.c | 37 ++++++++++++------------------------- 1 file changed, 12 insertions(+), 25 deletions(-) diff --git a/fallback.c b/fallback.c index bc9a3c9..4bde9c1 100644 --- a/fallback.c +++ b/fallback.c @@ -204,12 +204,12 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp, return EFI_OUT_OF_RESOURCES; int j = 0; + newbootorder[0] = i & 0xffff; if (nbootorder) { for (j = 0; j < nbootorder; j++) - newbootorder[j] = bootorder[j]; + newbootorder[j+1] = bootorder[j]; FreePool(bootorder); } - newbootorder[j] = i & 0xffff; bootorder = newbootorder; nbootorder += 1; #ifdef DEBUG_FALLBACK @@ -307,28 +307,17 @@ set_boot_order(void) EFI_STATUS update_boot_order(void) { - CHAR16 *oldbootorder; UINTN size; + UINTN len = 0; EFI_GUID global = EFI_GLOBAL_VARIABLE; CHAR16 *newbootorder = NULL; + EFI_STATUS rc; - oldbootorder = LibGetVariableAndSize(L"BootOrder", &global, &size); - if (oldbootorder) { - int n = size / sizeof (CHAR16) + nbootorder; - - newbootorder = AllocateZeroPool(n * sizeof (CHAR16)); - if (!newbootorder) - return EFI_OUT_OF_RESOURCES; - CopyMem(newbootorder, bootorder, nbootorder * sizeof (CHAR16)); - CopyMem(newbootorder + nbootorder, oldbootorder, size); - size = n * sizeof (CHAR16); - } else { - size = nbootorder * sizeof(CHAR16); - newbootorder = AllocateZeroPool(size); - if (!newbootorder) - return EFI_OUT_OF_RESOURCES; - CopyMem(newbootorder, bootorder, size); - } + size = nbootorder * sizeof(CHAR16); + newbootorder = AllocateZeroPool(size); + if (!newbootorder) + return EFI_OUT_OF_RESOURCES; + CopyMem(newbootorder, bootorder, size); #ifdef DEBUG_FALLBACK Print(L"nbootorder: %d\nBootOrder: ", size / sizeof (CHAR16)); @@ -337,13 +326,11 @@ update_boot_order(void) Print(L"%04x ", newbootorder[j]); Print(L"\n"); #endif - - if (oldbootorder) { + rc = uefi_call_wrapper(RT->GetVariable, 5, L"BootOrder", &global, + NULL, &len, NULL); + if (rc == EFI_BUFFER_TOO_SMALL) LibDeleteVariable(L"BootOrder", &global); - FreePool(oldbootorder); - } - EFI_STATUS rc; rc = uefi_call_wrapper(RT->SetVariable, 5, L"BootOrder", &global, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | From 30cead3b403650d320926971b671b4cda3d609e5 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Tue, 13 May 2014 13:24:12 -0400 Subject: [PATCH 115/163] [fallback] Fix the data size for boot option comparison Signed-off-by: Gary Ching-Pang Lin --- fallback.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fallback.c b/fallback.c index 4bde9c1..7f242e1 100644 --- a/fallback.c +++ b/fallback.c @@ -231,7 +231,7 @@ find_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label, { unsigned int size = sizeof(UINT32) + sizeof (UINT16) + StrLen(label)*2 + 2 + DevicePathSize(dp) + - StrLen(arguments) * 2 + 2; + StrLen(arguments) * 2; CHAR8 *data = AllocateZeroPool(size); if (!data) From 8bf83b55dc252cc6b5b83bb0f33cdc8fb68c448b Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Tue, 13 May 2014 13:30:07 -0400 Subject: [PATCH 116/163] [fallback] Try to boot the first boot option anyway Some UEFI implementations never care the boot options, so the restored boot options could be just ignored and this results in endless reboot. To avoid this situation, this commit makes fallback.efi to load the first matched boot option even if there is no boot option to be restored. It may not be perfect, but at least the bootloader is loaded... Signed-off-by: Gary Ching-Pang Lin --- fallback.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/fallback.c b/fallback.c index 7f242e1..d10fb62 100644 --- a/fallback.c +++ b/fallback.c @@ -226,8 +226,9 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp, } EFI_STATUS -find_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label, - CHAR16 *arguments, UINT16 *optnum) +find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp, + CHAR16 *filename, CHAR16 *label, CHAR16 *arguments, + UINT16 *optnum) { unsigned int size = sizeof(UINT32) + sizeof (UINT16) + StrLen(label)*2 + 2 + DevicePathSize(dp) + @@ -278,6 +279,12 @@ find_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label, continue; /* at this point, we have duplicate data. */ + if (!first_new_option) { + first_new_option = DuplicateDevicePath(fulldp); + first_new_option_args = arguments; + first_new_option_size = StrLen(arguments) * sizeof (CHAR16); + } + *optnum = i; FreePool(candidate); FreePool(data); @@ -403,7 +410,7 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 * #endif UINT16 option; - rc = find_boot_option(dp, fullpath, label, arguments, &option); + rc = find_boot_option(dp, full_device_path, fullpath, label, arguments, &option); if (EFI_ERROR(rc)) { add_boot_option(dp, full_device_path, fullpath, label, arguments); } else if (option != 0) { From da49ac6d699f2a91bd088fc66ba31c42803ade3e Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Wed, 25 Jun 2014 09:53:23 -0400 Subject: [PATCH 117/163] Fetch the netboot image from the same device The previous strategy is to locate the first available PXE_BASE_CODE protocol and to fetch the second stage image from it, and this may cause shim to fetch the wrong second stage image, i.e. grub.efi. Consider the machine with the following boot order: 1. PXE Boot 2. Hard Drive Assume that the EFI image, e.g. bootx64.efi, in the PXE server is broken, then "PXE Boot" will fail and fallback to "Hard Drive". While shim.efi in "Hard Drive" is loaded, it will find the PXE protocol is available and fetch grub.efi from the PXE server, not grub.efi in the disk. This commit checks the DeviceHandle from Loaded Image. If the device supports PXE, then shim fetches grub.efi with the PXE protocol. Otherwise, shim loads grub.efi from the disk. Signed-off-by: Gary Ching-Pang Lin --- netboot.c | 79 ++++++++++++------------------------------------------- shim.c | 2 +- 2 files changed, 18 insertions(+), 63 deletions(-) diff --git a/netboot.c b/netboot.c index 07e2773..5ef53f7 100644 --- a/netboot.c +++ b/netboot.c @@ -85,78 +85,33 @@ translate_slashes(char *str) * Returns TRUE if we identify a protocol that is enabled and Providing us with * the needed information to fetch a grubx64.efi image */ -BOOLEAN findNetboot(EFI_HANDLE image_handle) +BOOLEAN findNetboot(EFI_HANDLE device) { - UINTN bs = sizeof(EFI_HANDLE); - EFI_GUID pxe_base_code_protocol = EFI_PXE_BASE_CODE_PROTOCOL; - EFI_HANDLE *hbuf; - BOOLEAN rc = FALSE; - void *buffer = AllocatePool(bs); - UINTN errcnt = 0; - UINTN i; EFI_STATUS status; - if (!buffer) + status = uefi_call_wrapper(BS->HandleProtocol, 3, device, + &PxeBaseCodeProtocol, (VOID **)&pxe); + if (status != EFI_SUCCESS) { + pxe = NULL; return FALSE; - -try_again: - status = uefi_call_wrapper(BS->LocateHandle,5, ByProtocol, - &pxe_base_code_protocol, NULL, &bs, - buffer); - - if (status == EFI_BUFFER_TOO_SMALL) { - errcnt++; - FreePool(buffer); - if (errcnt > 1) - return FALSE; - buffer = AllocatePool(bs); - if (!buffer) - return FALSE; - goto try_again; } - if (status == EFI_NOT_FOUND) { - FreePool(buffer); + if (!pxe || !pxe->Mode) { + pxe = NULL; + return FALSE; + } + + if (!pxe->Mode->Started || !pxe->Mode->DhcpAckReceived) { + pxe = NULL; return FALSE; } /* - * We have a list of pxe supporting protocols, lets see if any are - * active - */ - hbuf = buffer; - pxe = NULL; - for (i=0; i < (bs / sizeof(EFI_HANDLE)); i++) { - status = uefi_call_wrapper(BS->OpenProtocol, 6, hbuf[i], - &pxe_base_code_protocol, - (void **)&pxe, image_handle, NULL, - EFI_OPEN_PROTOCOL_GET_PROTOCOL); - - if (status != EFI_SUCCESS) { - pxe = NULL; - continue; - } - - if (!pxe || !pxe->Mode) { - pxe = NULL; - continue; - } - - if (pxe->Mode->Started && pxe->Mode->DhcpAckReceived) { - /* - * We've located a pxe protocol handle thats been - * started and has received an ACK, meaning its - * something we'll be able to get tftp server info - * out of - */ - rc = TRUE; - break; - } - - } - - FreePool(buffer); - return rc; + * We've located a pxe protocol handle thats been started and has + * received an ACK, meaning its something we'll be able to get + * tftp server info out of + */ + return TRUE; } static CHAR8 *get_v6_bootfile_url(EFI_PXE_BASE_CODE_DHCPV6_PACKET *pkt) diff --git a/shim.c b/shim.c index 48a6f2f..d8699f9 100644 --- a/shim.c +++ b/shim.c @@ -1373,7 +1373,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) goto done; } - if (findNetboot(image_handle)) { + if (findNetboot(li->DeviceHandle)) { efi_status = parseNetbootinfo(image_handle); if (efi_status != EFI_SUCCESS) { Print(L"Netboot parsing failed: %r\n", efi_status); From b8070380eef2596837916358393fa789bfa883f3 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Wed, 25 Jun 2014 09:55:49 -0400 Subject: [PATCH 118/163] Check the first 4 bytes of the certificate A non-DER encoding x509 certificate may be mistakenly enrolled into db or MokList. This commit checks the first 4 bytes of the certificate to ensure that it's DER encoding. This commit also removes the iteration of the x509 signature list. Per UEFI SPEC, each x509 signature list contains only one x509 certificate. Besides, the size of certificate is incorrect. The size of the header must be substracted from the signature size. Signed-off-by: Gary Ching-Pang Lin --- MokManager.c | 23 +++++++++++++++++++++-- shim.c | 45 +++++++++++++++++++++++++++++++-------------- 2 files changed, 52 insertions(+), 16 deletions(-) diff --git a/MokManager.c b/MokManager.c index 3da61f4..c9fbbac 100644 --- a/MokManager.c +++ b/MokManager.c @@ -1306,12 +1306,31 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) { return -1; } -static BOOLEAN verify_certificate(void *cert, UINTN size) +static BOOLEAN verify_certificate(UINT8 *cert, UINTN size) { X509 *X509Cert; - if (!cert || size == 0) + UINTN length; + if (!cert || size < 0) return FALSE; + /* + * A DER encoding x509 certificate starts with SEQUENCE(0x30), + * the number of length bytes, and the number of value bytes. + * The size of a x509 certificate is usually between 127 bytes + * and 64KB. For convenience, assume the number of value bytes + * is 2, i.e. the second byte is 0x82. + */ + if (cert[0] != 0x30 || cert[1] != 0x82) { + console_notify(L"Not a DER encoding X509 certificate"); + return FALSE; + } + + length = (cert[2]<<8 | cert[3]); + if (length != (size - 4)) { + console_notify(L"Invalid X509 certificate: Inconsistent size"); + return FALSE; + } + if (!(X509ConstructCertificate(cert, size, (UINT8 **) &X509Cert)) || X509Cert == NULL) { console_notify(L"Invalid X509 certificate"); diff --git a/shim.c b/shim.c index d8699f9..cd26ce6 100644 --- a/shim.c +++ b/shim.c @@ -226,44 +226,61 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, return EFI_SUCCESS; } +static BOOLEAN verify_x509(UINT8 *Cert, UINTN CertSize) +{ + UINTN length; + + if (!Cert || CertSize < 4) + return FALSE; + + /* + * A DER encoding x509 certificate starts with SEQUENCE(0x30), + * the number of length bytes, and the number of value bytes. + * The size of a x509 certificate is usually between 127 bytes + * and 64KB. For convenience, assume the number of value bytes + * is 2, i.e. the second byte is 0x82. + */ + if (Cert[0] != 0x30 || Cert[1] != 0x82) + return FALSE; + + length = Cert[2]<<8 | Cert[3]; + if (length != (CertSize - 4)) + return FALSE; + + return TRUE; +} + static CHECK_STATUS check_db_cert_in_ram(EFI_SIGNATURE_LIST *CertList, UINTN dbsize, WIN_CERTIFICATE_EFI_PKCS *data, UINT8 *hash) { EFI_SIGNATURE_DATA *Cert; - UINTN CertCount, Index; + UINTN CertSize; BOOLEAN IsFound = FALSE; EFI_GUID CertType = X509_GUID; while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) { if (CompareGuid (&CertList->SignatureType, &CertType) == 0) { - CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize; Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize); - for (Index = 0; Index < CertCount; Index++) { + CertSize = CertList->SignatureSize - sizeof(EFI_GUID); + if (verify_x509(Cert->SignatureData, CertSize)) { IsFound = AuthenticodeVerify (data->CertData, data->Hdr.dwLength - sizeof(data->Hdr), Cert->SignatureData, - CertList->SignatureSize, + CertSize, hash, SHA256_DIGEST_SIZE); if (IsFound) - break; - - Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize); + return DATA_FOUND; + } else if (verbose) { + console_notify(L"Not a DER encoding x.509 Certificate"); } - } - if (IsFound) - break; - dbsize -= CertList->SignatureListSize; CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize); } - if (IsFound) - return DATA_FOUND; - return DATA_NOT_FOUND; } From c902256046459353118dfa25c7ff2af67dc36156 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Wed, 25 Jun 2014 09:56:27 -0400 Subject: [PATCH 119/163] Remove grubpath in generate_path() The variable is not used anymore. Signed-off-by: Gary Ching-Pang Lin --- shim.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/shim.c b/shim.c index cd26ce6..eb8542a 100644 --- a/shim.c +++ b/shim.c @@ -1134,17 +1134,15 @@ should_use_fallback(EFI_HANDLE image_handle) * of the executable */ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath, - EFI_DEVICE_PATH **grubpath, CHAR16 **PathName) + CHAR16 **PathName) { EFI_DEVICE_PATH *devpath; - EFI_HANDLE device; unsigned int i; int j, last = -1; unsigned int pathlen = 0; EFI_STATUS efi_status = EFI_SUCCESS; CHAR16 *bootpath; - device = li->DeviceHandle; devpath = li->FilePath; bootpath = DevicePathToStr(devpath); @@ -1197,8 +1195,6 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath, StrCat(*PathName, bootpath); StrCat(*PathName, ImagePath); - *grubpath = FileDevicePath(device, *PathName); - error: FreePool(bootpath); @@ -1361,7 +1357,6 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) EFI_GUID loaded_image_protocol = LOADED_IMAGE_PROTOCOL; EFI_STATUS efi_status; EFI_LOADED_IMAGE *li, li_bak; - EFI_DEVICE_PATH *path; CHAR16 *PathName = NULL; void *sourcebuffer = NULL; UINT64 sourcesize = 0; @@ -1383,7 +1378,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) /* * Build a new path from the existing one plus the executable name */ - efi_status = generate_path(li, ImagePath, &path, &PathName); + efi_status = generate_path(li, ImagePath, &PathName); if (efi_status != EFI_SUCCESS) { Print(L"Unable to generate path %s: %r\n", ImagePath, efi_status); From 38fe58d33aa9abfa1f5c086e5396ef31ee95ecb9 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Wed, 25 Jun 2014 09:57:10 -0400 Subject: [PATCH 120/163] MokManager: delete the BS+NV variables the right way LibDeleteVariable assumes that the variable is RT+NV and it won't work on a BS+NV variable. Signed-off-by: Gary Ching-Pang Lin --- MokManager.c | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/MokManager.c b/MokManager.c index c9fbbac..0ab308f 100644 --- a/MokManager.c +++ b/MokManager.c @@ -1112,7 +1112,16 @@ static INTN mok_sb_prompt (void *MokSB, UINTN MokSBSize) { return -1; } } else { - LibDeleteVariable(L"MokSBState", &shim_lock_guid); + efi_status = uefi_call_wrapper(RT->SetVariable, + 5, L"MokSBState", + &shim_lock_guid, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS, + 0, NULL); + if (efi_status != EFI_SUCCESS) { + console_notify(L"Failed to delete Secure Boot state"); + return -1; + } } console_notify(L"The system must now be rebooted"); @@ -1224,7 +1233,16 @@ static INTN mok_db_prompt (void *MokDB, UINTN MokDBSize) { return -1; } } else { - LibDeleteVariable(L"MokDBState", &shim_lock_guid); + efi_status = uefi_call_wrapper(RT->SetVariable, 5, + L"MokDBState", + &shim_lock_guid, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS, + 0, NULL); + if (efi_status != EFI_SUCCESS) { + console_notify(L"Failed to delete DB state"); + return -1; + } } console_notify(L"The system must now be rebooted"); @@ -1261,7 +1279,11 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) { if (console_yes_no((CHAR16 *[]){L"Clear MOK password?", NULL}) == 0) return 0; - LibDeleteVariable(L"MokPWStore", &shim_lock_guid); + uefi_call_wrapper(RT->SetVariable, 5, L"MokPWStore", + &shim_lock_guid, + EFI_VARIABLE_NON_VOLATILE + | EFI_VARIABLE_BOOTSERVICE_ACCESS, + 0, NULL); LibDeleteVariable(L"MokPW", &shim_lock_guid); console_notify(L"The system must now be rebooted"); uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, EFI_SUCCESS, 0, From dcc523811b7763036682ba42cc83cbf88f42a8f2 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Wed, 25 Jun 2014 10:02:18 -0400 Subject: [PATCH 121/163] MokManager: handle the error status from ReadKeyStroke On some machines, even though the key event was signaled, ReadKeyStroke still got EFI_NOT_READY. This commit handles the error status to avoid console_get_keystroke from returning unexpected keys. Signed-off-by: Gary Ching-Pang Lin Conflicts: MokManager.c --- MokManager.c | 17 +++++++++++++---- include/console.h | 4 ++-- lib/console.c | 26 ++++++++++++++++++-------- 3 files changed, 33 insertions(+), 14 deletions(-) diff --git a/MokManager.c b/MokManager.c index 0ab308f..50cb9d7 100644 --- a/MokManager.c +++ b/MokManager.c @@ -488,13 +488,19 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title) return EFI_SUCCESS; } -static UINT8 get_line (UINT32 *length, CHAR16 *line, UINT32 line_max, UINT8 show) +static EFI_STATUS get_line (UINT32 *length, CHAR16 *line, UINT32 line_max, UINT8 show) { EFI_INPUT_KEY key; + EFI_STATUS status; unsigned int count = 0; do { - key = console_get_keystroke(); + status = console_get_keystroke(&key); + if (EFI_ERROR (status)) { + console_error(L"Failed to read the keystroke", status); + *length = 0; + return status; + } if ((count >= line_max && key.UnicodeChar != CHAR_BACKSPACE) || @@ -525,7 +531,7 @@ static UINT8 get_line (UINT32 *length, CHAR16 *line, UINT32 line_max, UINT8 show *length = count; - return 1; + return EFI_SUCCESS; } static EFI_STATUS compute_pw_hash (void *Data, UINTN DataSize, UINT8 *password, @@ -989,6 +995,7 @@ static INTN mok_deletion_prompt (void *MokDel, UINTN MokDelSize) static CHAR16 get_password_charater (CHAR16 *prompt) { SIMPLE_TEXT_OUTPUT_MODE SavedMode; + EFI_STATUS status; CHAR16 *message[2]; CHAR16 character; UINTN length; @@ -1003,7 +1010,9 @@ static CHAR16 get_password_charater (CHAR16 *prompt) message[1] = NULL; length = StrLen(message[0]); console_print_box_at(message, -1, -length-4, -5, length+4, 3, 0, 1); - get_line(&pw_length, &character, 1, 0); + status = get_line(&pw_length, &character, 1, 0); + if (EFI_ERROR(status)) + character = 0; console_restore_mode(&SavedMode); diff --git a/include/console.h b/include/console.h index e6c2818..9c793ea 100644 --- a/include/console.h +++ b/include/console.h @@ -1,8 +1,8 @@ #ifndef _SHIM_LIB_CONSOLE_H #define _SHIM_LIB_CONSOLE_H 1 -EFI_INPUT_KEY -console_get_keystroke(void); +EFI_STATUS +console_get_keystroke(EFI_INPUT_KEY *key); void console_print_box_at(CHAR16 *str_arr[], int highlight, int start_col, int start_row, int size_cols, int size_rows, int offset, int lines); void diff --git a/lib/console.c b/lib/console.c index 2fc8db3..41ed83a 100644 --- a/lib/console.c +++ b/lib/console.c @@ -40,16 +40,18 @@ SetMem16(CHAR16 *dst, UINT32 n, CHAR16 c) } } -EFI_INPUT_KEY -console_get_keystroke(void) +EFI_STATUS +console_get_keystroke(EFI_INPUT_KEY *key) { - EFI_INPUT_KEY key; UINTN EventIndex; + EFI_STATUS status; - uefi_call_wrapper(BS->WaitForEvent, 3, 1, &ST->ConIn->WaitForKey, &EventIndex); - uefi_call_wrapper(ST->ConIn->ReadKeyStroke, 2, ST->ConIn, &key); + do { + uefi_call_wrapper(BS->WaitForEvent, 3, 1, &ST->ConIn->WaitForKey, &EventIndex); + status = uefi_call_wrapper(ST->ConIn->ReadKeyStroke, 2, ST->ConIn, key); + } while (status == EFI_NOT_READY); - return key; + return status; } void @@ -162,6 +164,8 @@ console_print_box(CHAR16 *str_arr[], int highlight) { SIMPLE_TEXT_OUTPUT_MODE SavedConsoleMode; SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut; + EFI_INPUT_KEY key; + CopyMem(&SavedConsoleMode, co->Mode, sizeof(SavedConsoleMode)); uefi_call_wrapper(co->EnableCursor, 2, co, FALSE); uefi_call_wrapper(co->SetAttribute, 2, co, EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE); @@ -169,7 +173,7 @@ console_print_box(CHAR16 *str_arr[], int highlight) console_print_box_at(str_arr, highlight, 0, 0, -1, -1, 0, count_lines(str_arr)); - console_get_keystroke(); + console_get_keystroke(&key); uefi_call_wrapper(co->EnableCursor, 2, co, SavedConsoleMode.CursorVisible); @@ -184,6 +188,7 @@ console_select(CHAR16 *title[], CHAR16* selectors[], int start) SIMPLE_TEXT_OUTPUT_MODE SavedConsoleMode; SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut; EFI_INPUT_KEY k; + EFI_STATUS status; int selector; int selector_lines = count_lines(selectors); int selector_max_cols = 0; @@ -237,7 +242,12 @@ console_select(CHAR16 *title[], CHAR16* selectors[], int start) size_cols, size_rows, 0, lines); do { - k = console_get_keystroke(); + status = console_get_keystroke(&k); + if (EFI_ERROR (status)) { + Print(L"Failed to read the keystroke: %r", status); + selector = -1; + break; + } if (k.ScanCode == SCAN_ESC) { selector = -1; From ea1c89b047eb4b071efb533808b7d6ca6ae6e719 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Wed, 25 Jun 2014 10:03:08 -0400 Subject: [PATCH 122/163] Exclude ca.crt while signing EFI images If ca.crt was added into the certificate database, ca.crt would be the first certificate in the signature. Because shim couldn't verify ca.crt with the embedded shim.cer, it failed to load MokManager.efi.signed and fallback.efi.signed. Signed-off-by: Gary Ching-Pang Lin --- Makefile | 1 - 1 file changed, 1 deletion(-) diff --git a/Makefile b/Makefile index 46e5ef9..df190a2 100644 --- a/Makefile +++ b/Makefile @@ -73,7 +73,6 @@ version.c : version.c.in certdb/secmod.db: shim.crt -mkdir certdb - certutil -A -n 'my CA' -d certdb/ -t CT,CT,CT -i ca.crt pk12util -d certdb/ -i shim.p12 -W "" -K "" certutil -d certdb/ -A -i shim.crt -n shim -t u From 95c6743e4cc8f89d25c634ad85359081f3e7ab00 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Wed, 25 Jun 2014 10:12:43 -0400 Subject: [PATCH 123/163] No newline for console_notify The newlines are for Print(), not console_notify(). Signed-off-by: Gary Ching-Pang Lin Conflicts: shim.c --- shim.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/shim.c b/shim.c index eb8542a..f9fa606 100644 --- a/shim.c +++ b/shim.c @@ -479,7 +479,7 @@ static BOOLEAN secure_mode (void) status = get_variable(L"SecureBoot", &Data, &len, global_var); if (status != EFI_SUCCESS) { if (verbose) - console_notify(L"Secure boot not enabled\n"); + console_notify(L"Secure boot not enabled"); return FALSE; } sb = *Data; @@ -487,7 +487,7 @@ static BOOLEAN secure_mode (void) if (sb != 1) { if (verbose) - console_notify(L"Secure boot not enabled\n"); + console_notify(L"Secure boot not enabled"); return FALSE; } @@ -500,7 +500,7 @@ static BOOLEAN secure_mode (void) if (setupmode == 1) { if (verbose) - console_notify(L"Platform is in setup mode\n"); + console_notify(L"Platform is in setup mode"); return FALSE; } From d8d7464f2cdd86ae01293086119463bf4a6b4a9c Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Wed, 25 Jun 2014 10:15:31 -0400 Subject: [PATCH 124/163] Remove the duplicate calls in lib/console.c Signed-off-by: Gary Ching-Pang Lin --- lib/console.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/lib/console.c b/lib/console.c index 41ed83a..83ee679 100644 --- a/lib/console.c +++ b/lib/console.c @@ -175,8 +175,6 @@ console_print_box(CHAR16 *str_arr[], int highlight) console_get_keystroke(&key); - uefi_call_wrapper(co->EnableCursor, 2, co, SavedConsoleMode.CursorVisible); - uefi_call_wrapper(co->EnableCursor, 2, co, SavedConsoleMode.CursorVisible); uefi_call_wrapper(co->SetCursorPosition, 3, co, SavedConsoleMode.CursorColumn, SavedConsoleMode.CursorRow); uefi_call_wrapper(co->SetAttribute, 2, co, SavedConsoleMode.Attribute); @@ -272,8 +270,6 @@ console_select(CHAR16 *title[], CHAR16* selectors[], int start) } while (!(k.ScanCode == SCAN_NULL && k.UnicodeChar == CHAR_CARRIAGE_RETURN)); - uefi_call_wrapper(co->EnableCursor, 2, co, SavedConsoleMode.CursorVisible); - uefi_call_wrapper(co->EnableCursor, 2, co, SavedConsoleMode.CursorVisible); uefi_call_wrapper(co->SetCursorPosition, 3, co, SavedConsoleMode.CursorColumn, SavedConsoleMode.CursorRow); uefi_call_wrapper(co->SetAttribute, 2, co, SavedConsoleMode.Attribute); From e50cfe371f58b9313180093f1217b2fc20d94718 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Wed, 25 Jun 2014 10:30:38 -0400 Subject: [PATCH 125/163] Silence the functions of shim protocol When grub2 invokes the functions of shim protocol in gfx mode, OutputString in shim could distort the screen. Signed-off-by: Gary Ching-Pang Lin Conflicts: shim.c (modified by pjones to include some newer Prints that weren't there when Gary did the initial work here.) --- shim.c | 192 ++++++++++++++++++++++++++++++++++----------------------- 1 file changed, 114 insertions(+), 78 deletions(-) diff --git a/shim.c b/shim.c index f9fa606..69af766 100644 --- a/shim.c +++ b/shim.c @@ -59,6 +59,14 @@ static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TAB static CHAR16 *second_stage; static void *load_options; static UINT32 load_options_size; +static UINT8 in_protocol; + +#define perror(fmt, ...) ({ \ + UINTN __perror_ret = 0; \ + if (in_protocol) \ + __perror_ret = Print((fmt), ##__VA_ARGS__); \ + __perror_ret; \ + }) EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }; @@ -133,7 +141,7 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, #endif if (context->NumberOfRvaAndSizes <= EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC) { - Print(L"Image has no relocation entry\n"); + perror(L"Image has no relocation entry\n"); return EFI_UNSUPPORTED; } @@ -141,7 +149,7 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, RelocBaseEnd = ImageAddress(data, size, context->RelocDir->VirtualAddress + context->RelocDir->Size - 1); if (!RelocBase || !RelocBaseEnd) { - Print(L"Reloc table overflows binary\n"); + perror(L"Reloc table overflows binary\n"); return EFI_UNSUPPORTED; } @@ -154,19 +162,19 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, Reloc = (UINT16 *) ((char *) RelocBase + sizeof (EFI_IMAGE_BASE_RELOCATION)); if ((RelocBase->SizeOfBlock == 0) || (RelocBase->SizeOfBlock > context->RelocDir->Size)) { - Print(L"Reloc block size is invalid\n"); + perror(L"Reloc block size is invalid\n"); return EFI_UNSUPPORTED; } RelocEnd = (UINT16 *) ((char *) RelocBase + RelocBase->SizeOfBlock); if ((void *)RelocEnd < data || (void *)RelocEnd > ImageEnd) { - Print(L"Reloc entry overflows binary\n"); + perror(L"Reloc entry overflows binary\n"); return EFI_UNSUPPORTED; } FixupBase = ImageAddress(data, size, RelocBase->VirtualAddress); if (!FixupBase) { - Print(L"Invalid fixupbase\n"); + perror(L"Invalid fixupbase\n"); return EFI_UNSUPPORTED; } @@ -215,7 +223,7 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, break; default: - Print(L"Unknown relocation\n"); + perror(L"Unknown relocation\n"); return EFI_UNSUPPORTED; } Reloc += 1; @@ -478,7 +486,7 @@ static BOOLEAN secure_mode (void) status = get_variable(L"SecureBoot", &Data, &len, global_var); if (status != EFI_SUCCESS) { - if (verbose) + if (verbose && !in_protocol) console_notify(L"Secure boot not enabled"); return FALSE; } @@ -486,7 +494,7 @@ static BOOLEAN secure_mode (void) FreePool(Data); if (sb != 1) { - if (verbose) + if (verbose && !in_protocol) console_notify(L"Secure boot not enabled"); return FALSE; } @@ -499,7 +507,7 @@ static BOOLEAN secure_mode (void) FreePool(Data); if (setupmode == 1) { - if (verbose) + if (verbose && !in_protocol) console_notify(L"Platform is in setup mode"); return FALSE; } @@ -531,14 +539,14 @@ static EFI_STATUS generate_hash (char *data, int datasize_in, unsigned int PEHdr_offset = 0; if (datasize_in < 0) { - Print(L"Invalid data size\n"); + perror(L"Invalid data size\n"); return EFI_INVALID_PARAMETER; } size = datasize = (unsigned int)datasize_in; if (datasize <= sizeof (*DosHdr) || DosHdr->e_magic != EFI_IMAGE_DOS_SIGNATURE) { - Print(L"Invalid signature\n"); + perror(L"Invalid signature\n"); return EFI_INVALID_PARAMETER; } PEHdr_offset = DosHdr->e_lfanew; @@ -550,12 +558,12 @@ static EFI_STATUS generate_hash (char *data, int datasize_in, sha1ctx = AllocatePool(sha1ctxsize); if (!sha256ctx || !sha1ctx) { - Print(L"Unable to allocate memory for hash context\n"); + perror(L"Unable to allocate memory for hash context\n"); return EFI_OUT_OF_RESOURCES; } if (!Sha256Init(sha256ctx) || !Sha1Init(sha1ctx)) { - Print(L"Unable to initialise hash\n"); + perror(L"Unable to initialise hash\n"); status = EFI_OUT_OF_RESOURCES; goto done; } @@ -567,7 +575,7 @@ static EFI_STATUS generate_hash (char *data, int datasize_in, if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || !(Sha1Update(sha1ctx, hashbase, hashsize))) { - Print(L"Unable to generate hash\n"); + perror(L"Unable to generate hash\n"); status = EFI_OUT_OF_RESOURCES; goto done; } @@ -579,7 +587,7 @@ static EFI_STATUS generate_hash (char *data, int datasize_in, if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || !(Sha1Update(sha1ctx, hashbase, hashsize))) { - Print(L"Unable to generate hash\n"); + perror(L"Unable to generate hash\n"); status = EFI_OUT_OF_RESOURCES; goto done; } @@ -597,7 +605,7 @@ static EFI_STATUS generate_hash (char *data, int datasize_in, if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || !(Sha1Update(sha1ctx, hashbase, hashsize))) { - Print(L"Unable to generate hash\n"); + perror(L"Unable to generate hash\n"); status = EFI_OUT_OF_RESOURCES; goto done; } @@ -621,14 +629,14 @@ static EFI_STATUS generate_hash (char *data, int datasize_in, context->PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + (index * sizeof(*SectionPtr))); if (!SectionPtr) { - Print(L"Malformed section %d\n", index); + perror(L"Malformed section %d\n", index); status = EFI_INVALID_PARAMETER; goto done; } /* Validate section size is within image. */ if (SectionPtr->SizeOfRawData > datasize - SumOfBytesHashed - SumOfSectionBytes) { - Print(L"Malformed section %d size\n", index); + perror(L"Malformed section %d size\n", index); status = EFI_INVALID_PARAMETER; goto done; } @@ -637,7 +645,7 @@ static EFI_STATUS generate_hash (char *data, int datasize_in, SectionHeader = (EFI_IMAGE_SECTION_HEADER *) AllocateZeroPool (sizeof (EFI_IMAGE_SECTION_HEADER) * context->PEHdr->Pe32.FileHeader.NumberOfSections); if (SectionHeader == NULL) { - Print(L"Unable to allocate section header\n"); + perror(L"Unable to allocate section header\n"); status = EFI_OUT_OF_RESOURCES; goto done; } @@ -669,7 +677,7 @@ static EFI_STATUS generate_hash (char *data, int datasize_in, hashbase = ImageAddress(data, size, Section->PointerToRawData); if (!hashbase) { - Print(L"Malformed section header\n"); + perror(L"Malformed section header\n"); status = EFI_INVALID_PARAMETER; goto done; } @@ -677,7 +685,7 @@ static EFI_STATUS generate_hash (char *data, int datasize_in, /* Verify hashsize within image. */ if (Section->SizeOfRawData > datasize - Section->PointerToRawData) { - Print(L"Malformed section raw size %d\n", index); + perror(L"Malformed section raw size %d\n", index); status = EFI_INVALID_PARAMETER; goto done; } @@ -685,7 +693,7 @@ static EFI_STATUS generate_hash (char *data, int datasize_in, if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || !(Sha1Update(sha1ctx, hashbase, hashsize))) { - Print(L"Unable to generate hash\n"); + perror(L"Unable to generate hash\n"); status = EFI_OUT_OF_RESOURCES; goto done; } @@ -706,7 +714,7 @@ static EFI_STATUS generate_hash (char *data, int datasize_in, if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || !(Sha1Update(sha1ctx, hashbase, hashsize))) { - Print(L"Unable to generate hash\n"); + perror(L"Unable to generate hash\n"); status = EFI_OUT_OF_RESOURCES; goto done; } @@ -714,7 +722,7 @@ static EFI_STATUS generate_hash (char *data, int datasize_in, if (!(Sha256Final(sha256ctx, sha256hash)) || !(Sha1Final(sha1ctx, sha1hash))) { - Print(L"Unable to finalise hash\n"); + perror(L"Unable to finalise hash\n"); status = EFI_OUT_OF_RESOURCES; goto done; } @@ -744,9 +752,9 @@ static EFI_STATUS verify_mok (void) { shim_lock_guid, &attributes); if (!EFI_ERROR(status) && attributes & EFI_VARIABLE_RUNTIME_ACCESS) { - Print(L"MokList is compromised!\nErase all keys in MokList!\n"); + perror(L"MokList is compromised!\nErase all keys in MokList!\n"); if (LibDeleteVariable(L"MokList", &shim_lock_guid) != EFI_SUCCESS) { - Print(L"Failed to erase MokList\n"); + perror(L"Failed to erase MokList\n"); return EFI_ACCESS_DENIED; } } @@ -774,13 +782,13 @@ static EFI_STATUS verify_buffer (char *data, int datasize, context->SecDir->VirtualAddress); if (!cert) { - Print(L"Certificate located outside the image\n"); + perror(L"Certificate located outside the image\n"); return EFI_INVALID_PARAMETER; } if (cert->Hdr.wCertificateType != WIN_CERT_TYPE_PKCS_SIGNED_DATA) { - Print(L"Unsupported certificate type %x\n", + perror(L"Unsupported certificate type %x\n", cert->Hdr.wCertificateType); return EFI_UNSUPPORTED; } @@ -804,7 +812,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, status = check_blacklist(cert, sha256hash, sha1hash); if (status != EFI_SUCCESS) { - Print(L"Binary is blacklisted\n"); + perror(L"Binary is blacklisted\n"); return status; } @@ -857,7 +865,7 @@ static EFI_STATUS read_header(void *data, unsigned int datasize, unsigned long HeaderWithoutDataDir, SectionHeaderOffset, OptHeaderSize; if (datasize < sizeof(EFI_IMAGE_DOS_HEADER)) { - Print(L"Invalid image\n"); + perror(L"Invalid image\n"); return EFI_UNSUPPORTED; } @@ -877,7 +885,7 @@ static EFI_STATUS read_header(void *data, unsigned int datasize, context->NumberOfSections = PEHdr->Pe32.FileHeader.NumberOfSections; if (EFI_IMAGE_NUMBER_OF_DIRECTORY_ENTRIES < context->NumberOfRvaAndSizes) { - Print(L"Image header too small\n"); + perror(L"Image header too small\n"); return EFI_UNSUPPORTED; } @@ -885,7 +893,7 @@ static EFI_STATUS read_header(void *data, unsigned int datasize, - sizeof (EFI_IMAGE_DATA_DIRECTORY) * EFI_IMAGE_NUMBER_OF_DIRECTORY_ENTRIES; if (((UINT32)PEHdr->Pe32.FileHeader.SizeOfOptionalHeader - HeaderWithoutDataDir) != context->NumberOfRvaAndSizes * sizeof (EFI_IMAGE_DATA_DIRECTORY)) { - Print(L"Image header overflows data directory\n"); + perror(L"Image header overflows data directory\n"); return EFI_UNSUPPORTED; } @@ -895,28 +903,28 @@ static EFI_STATUS read_header(void *data, unsigned int datasize, + PEHdr->Pe32.FileHeader.SizeOfOptionalHeader; if (((UINT32)context->ImageSize - SectionHeaderOffset) / EFI_IMAGE_SIZEOF_SECTION_HEADER <= context->NumberOfSections) { - Print(L"Image sections overflow image size\n"); + perror(L"Image sections overflow image size\n"); return EFI_UNSUPPORTED; } if ((context->SizeOfHeaders - SectionHeaderOffset) / EFI_IMAGE_SIZEOF_SECTION_HEADER < (UINT32)context->NumberOfSections) { - Print(L"Image sections overflow section headers\n"); + perror(L"Image sections overflow section headers\n"); return EFI_UNSUPPORTED; } if ((((UINT8 *)PEHdr - (UINT8 *)data) + sizeof(EFI_IMAGE_OPTIONAL_HEADER_UNION)) > datasize) { - Print(L"Invalid image\n"); + perror(L"Invalid image\n"); return EFI_UNSUPPORTED; } if (PEHdr->Te.Signature != EFI_IMAGE_NT_SIGNATURE) { - Print(L"Unsupported image type\n"); + perror(L"Unsupported image type\n"); return EFI_UNSUPPORTED; } if (PEHdr->Pe32.FileHeader.Characteristics & EFI_IMAGE_FILE_RELOCS_STRIPPED) { - Print(L"Unsupported image - Relocations have been stripped\n"); + perror(L"Unsupported image - Relocations have been stripped\n"); return EFI_UNSUPPORTED; } @@ -935,23 +943,24 @@ static EFI_STATUS read_header(void *data, unsigned int datasize, context->FirstSection = (EFI_IMAGE_SECTION_HEADER *)((char *)PEHdr + PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + sizeof(UINT32) + sizeof(EFI_IMAGE_FILE_HEADER)); if (context->ImageSize < context->SizeOfHeaders) { - Print(L"Invalid image\n"); + perror(L"Invalid image\n"); return EFI_UNSUPPORTED; } if ((unsigned long)((UINT8 *)context->SecDir - (UINT8 *)data) > (datasize - sizeof(EFI_IMAGE_DATA_DIRECTORY))) { - Print(L"Invalid image\n"); + perror(L"Invalid image\n"); return EFI_UNSUPPORTED; } if (context->SecDir->VirtualAddress >= datasize) { - Print(L"Malformed security header\n"); + perror(L"Malformed security header\n"); return EFI_INVALID_PARAMETER; } return EFI_SUCCESS; } + /* * Once the image has been loaded it needs to be validated and relocated */ @@ -971,7 +980,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, */ efi_status = read_header(data, datasize, &context); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to read header: %r\n", efi_status); + perror(L"Failed to read header: %r\n", efi_status); return efi_status; } @@ -993,7 +1002,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, buffer = AllocatePool(context.ImageSize); if (!buffer) { - Print(L"Failed to allocate image buffer\n"); + perror(L"Failed to allocate image buffer\n"); return EFI_OUT_OF_RESOURCES; } @@ -1013,13 +1022,13 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, end = ImageAddress (buffer, context.ImageSize, Section->VirtualAddress + size - 1); if (!base || !end) { - Print(L"Invalid section size\n"); + perror(L"Invalid section size\n"); return EFI_UNSUPPORTED; } if (Section->VirtualAddress < context.SizeOfHeaders || Section->PointerToRawData < context.SizeOfHeaders) { - Print(L"Section is inside image headers\n"); + perror(L"Section is inside image headers\n"); return EFI_UNSUPPORTED; } @@ -1038,7 +1047,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, efi_status = relocate_coff(&context, buffer); if (efi_status != EFI_SUCCESS) { - Print(L"Relocation failed: %r\n", efi_status); + perror(L"Relocation failed: %r\n", efi_status); FreePool(buffer); return efi_status; } @@ -1056,7 +1065,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, li->LoadOptionsSize = load_options_size; if (!entry_point) { - Print(L"Invalid entry point\n"); + perror(L"Invalid entry point\n"); FreePool(buffer); return EFI_UNSUPPORTED; } @@ -1079,7 +1088,7 @@ should_use_fallback(EFI_HANDLE image_handle) rc = uefi_call_wrapper(BS->HandleProtocol, 3, image_handle, &loaded_image_protocol, (void **)&li); if (EFI_ERROR(rc)) { - Print(L"Could not get image for bootx64.efi: %r\n", rc); + perror(L"Could not get image for bootx64.efi: %r\n", rc); return 0; } @@ -1101,13 +1110,13 @@ should_use_fallback(EFI_HANDLE image_handle) rc = uefi_call_wrapper(BS->HandleProtocol, 3, li->DeviceHandle, &FileSystemProtocol, (void **)&fio); if (EFI_ERROR(rc)) { - Print(L"Could not get fio for li->DeviceHandle: %r\n", rc); + perror(L"Could not get fio for li->DeviceHandle: %r\n", rc); return 0; } - + rc = uefi_call_wrapper(fio->OpenVolume, 2, fio, &vh); if (EFI_ERROR(rc)) { - Print(L"Could not open fio volume: %r\n", rc); + perror(L"Could not open fio volume: %r\n", rc); return 0; } @@ -1185,7 +1194,7 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath, *PathName = AllocatePool(StrSize(bootpath) + StrSize(ImagePath)); if (!*PathName) { - Print(L"Failed to allocate path buffer\n"); + perror(L"Failed to allocate path buffer\n"); efi_status = EFI_OUT_OF_RESOURCES; goto error; } @@ -1226,14 +1235,14 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, (void **)&drive); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to find fs: %r\n", efi_status); + perror(L"Failed to find fs: %r\n", efi_status); goto error; } efi_status = uefi_call_wrapper(drive->OpenVolume, 2, drive, &root); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to open fs: %r\n", efi_status); + perror(L"Failed to open fs: %r\n", efi_status); goto error; } @@ -1244,14 +1253,14 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, EFI_FILE_MODE_READ, 0); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to open %s - %r\n", PathName, efi_status); + perror(L"Failed to open %s - %r\n", PathName, efi_status); goto error; } fileinfo = AllocatePool(buffersize); if (!fileinfo) { - Print(L"Unable to allocate file info buffer\n"); + perror(L"Unable to allocate file info buffer\n"); efi_status = EFI_OUT_OF_RESOURCES; goto error; } @@ -1267,7 +1276,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, FreePool(fileinfo); fileinfo = AllocatePool(buffersize); if (!fileinfo) { - Print(L"Unable to allocate file info buffer\n"); + perror(L"Unable to allocate file info buffer\n"); efi_status = EFI_OUT_OF_RESOURCES; goto error; } @@ -1277,7 +1286,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, } if (efi_status != EFI_SUCCESS) { - Print(L"Unable to get file info: %r\n", efi_status); + perror(L"Unable to get file info: %r\n", efi_status); goto error; } @@ -1286,7 +1295,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, *data = AllocatePool(buffersize); if (!*data) { - Print(L"Unable to allocate file buffer\n"); + perror(L"Unable to allocate file buffer\n"); efi_status = EFI_OUT_OF_RESOURCES; goto error; } @@ -1305,7 +1314,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, } if (efi_status != EFI_SUCCESS) { - Print(L"Unexpected return from initial read: %r, buffersize %x\n", efi_status, buffersize); + perror(L"Unexpected return from initial read: %r, buffersize %x\n", efi_status, buffersize); goto error; } @@ -1335,6 +1344,7 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size) PE_COFF_LOADER_IMAGE_CONTEXT context; loader_is_participating = 1; + in_protocol = 1; if (!secure_mode()) return EFI_SUCCESS; @@ -1342,9 +1352,35 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size) status = read_header(buffer, size, &context); if (status != EFI_SUCCESS) - return status; + goto done; status = verify_buffer(buffer, size, &context); +done: + in_protocol = 0; + return status; +} + +static EFI_STATUS shim_hash (char *data, int datasize, + PE_COFF_LOADER_IMAGE_CONTEXT *context, + UINT8 *sha256hash, UINT8 *sha1hash) +{ + EFI_STATUS status; + + in_protocol = 1; + status = generate_hash(data, datasize, context, sha256hash, sha1hash); + in_protocol = 0; + + return status; +} + +static EFI_STATUS shim_read_header(void *data, unsigned int datasize, + PE_COFF_LOADER_IMAGE_CONTEXT *context) +{ + EFI_STATUS status; + + in_protocol = 1; + status = read_header(data, datasize, context); + in_protocol = 0; return status; } @@ -1371,7 +1407,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) &loaded_image_protocol, (void **)&li); if (efi_status != EFI_SUCCESS) { - Print(L"Unable to init protocol\n"); + perror(L"Unable to init protocol\n"); return efi_status; } @@ -1381,20 +1417,20 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) efi_status = generate_path(li, ImagePath, &PathName); if (efi_status != EFI_SUCCESS) { - Print(L"Unable to generate path %s: %r\n", ImagePath, efi_status); + perror(L"Unable to generate path %s: %r\n", ImagePath, efi_status); goto done; } if (findNetboot(li->DeviceHandle)) { efi_status = parseNetbootinfo(image_handle); if (efi_status != EFI_SUCCESS) { - Print(L"Netboot parsing failed: %r\n", efi_status); + perror(L"Netboot parsing failed: %r\n", efi_status); return EFI_PROTOCOL_ERROR; } efi_status = FetchNetbootimage(image_handle, &sourcebuffer, &sourcesize); if (efi_status != EFI_SUCCESS) { - Print(L"Unable to fetch TFTP image: %r\n", efi_status); + perror(L"Unable to fetch TFTP image: %r\n", efi_status); return efi_status; } data = sourcebuffer; @@ -1406,7 +1442,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) efi_status = load_image(li, &data, &datasize, PathName); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to load image %s: %r\n", PathName, efi_status); + perror(L"Failed to load image %s: %r\n", PathName, efi_status); goto done; } } @@ -1423,7 +1459,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) efi_status = handle_image(data, datasize, li); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to load image: %r\n", efi_status); + perror(L"Failed to load image: %r\n", efi_status); CopyMem(li, &li_bak, sizeof(li_bak)); goto done; } @@ -1495,7 +1531,7 @@ EFI_STATUS mirror_mok_list() ; FullData = AllocatePool(FullDataSize); if (!FullData) { - Print(L"Failed to allocate space for MokListRT\n"); + perror(L"Failed to allocate space for MokListRT\n"); return EFI_OUT_OF_RESOURCES; } p = FullData; @@ -1526,7 +1562,7 @@ EFI_STATUS mirror_mok_list() | EFI_VARIABLE_RUNTIME_ACCESS, FullDataSize, FullData); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to set MokListRT: %r\n", efi_status); + perror(L"Failed to set MokListRT: %r\n", efi_status); } return efi_status; @@ -1567,7 +1603,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle) efi_status = start_image(image_handle, MOK_MANAGER); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to start MokManager: %r\n", efi_status); + perror(L"Failed to start MokManager: %r\n", efi_status); return efi_status; } } @@ -1601,9 +1637,9 @@ static EFI_STATUS check_mok_sb (void) * modified by the OS */ if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) { - Print(L"MokSBState is compromised! Clearing it\n"); + perror(L"MokSBState is compromised! Clearing it\n"); if (LibDeleteVariable(L"MokSBState", &shim_lock_guid) != EFI_SUCCESS) { - Print(L"Failed to erase MokSBState\n"); + perror(L"Failed to erase MokSBState\n"); } status = EFI_ACCESS_DENIED; } else { @@ -1642,9 +1678,9 @@ static EFI_STATUS check_mok_db (void) * modified by the OS */ if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) { - Print(L"MokDBState is compromised! Clearing it\n"); + perror(L"MokDBState is compromised! Clearing it\n"); if (LibDeleteVariable(L"MokDBState", &shim_lock_guid) != EFI_SUCCESS) { - Print(L"Failed to erase MokDBState\n"); + perror(L"Failed to erase MokDBState\n"); } status = EFI_ACCESS_DENIED; } else { @@ -1674,7 +1710,7 @@ static EFI_STATUS mok_ignore_db() | EFI_VARIABLE_RUNTIME_ACCESS, DataSize, (void *)&Data); if (efi_status != EFI_SUCCESS) { - Print(L"Failed to set MokIgnoreDB: %r\n", efi_status); + perror(L"Failed to set MokIgnoreDB: %r\n", efi_status); } } @@ -1702,7 +1738,7 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) status = uefi_call_wrapper(BS->HandleProtocol, 3, image_handle, &LoadedImageProtocol, (void **) &li); if (status != EFI_SUCCESS) { - Print (L"Failed to get load options: %r\n", status); + perror (L"Failed to get load options: %r\n", status); return status; } @@ -1746,7 +1782,7 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) if (loader_len > 0) { loader_str = AllocatePool((loader_len + 1) * sizeof(CHAR16)); if (!loader_str) { - Print(L"Failed to allocate loader string\n"); + perror(L"Failed to allocate loader string\n"); return EFI_OUT_OF_RESOURCES; } for (i = 0; i < loader_len; i++) @@ -1825,8 +1861,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) * call back in and use shim functions */ shim_lock_interface.Verify = shim_verify; - shim_lock_interface.Hash = generate_hash; - shim_lock_interface.Context = read_header; + shim_lock_interface.Hash = shim_hash; + shim_lock_interface.Context = shim_read_header; systab = passed_systab; From fe8527aaa6305ae5992a70491e6b1c06432aaa3a Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Wed, 25 Jun 2014 10:33:25 -0400 Subject: [PATCH 126/163] Free the string from DevicePathToStr Signed-off-by: Gary Ching-Pang Lin Conflicts: shim.c --- shim.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/shim.c b/shim.c index 69af766..72d6072 100644 --- a/shim.c +++ b/shim.c @@ -1079,11 +1079,12 @@ should_use_fallback(EFI_HANDLE image_handle) EFI_GUID loaded_image_protocol = LOADED_IMAGE_PROTOCOL; EFI_LOADED_IMAGE *li; unsigned int pathlen = 0; - CHAR16 *bootpath; + CHAR16 *bootpath = NULL; EFI_FILE_IO_INTERFACE *fio = NULL; EFI_FILE *vh; EFI_FILE *fh; EFI_STATUS rc; + int ret = 0; rc = uefi_call_wrapper(BS->HandleProtocol, 3, image_handle, &loaded_image_protocol, (void **)&li); @@ -1101,23 +1102,23 @@ should_use_fallback(EFI_HANDLE image_handle) */ if (StrnCaseCmp(bootpath, L"\\EFI\\BOOT\\BOOT", 14) && StrnCaseCmp(bootpath, L"\\EFI\\BOOT\\/BOOT", 15)) - return 0; + goto error; pathlen = StrLen(bootpath); if (pathlen < 5 || StrCaseCmp(bootpath + pathlen - 4, L".EFI")) - return 0; + goto error; rc = uefi_call_wrapper(BS->HandleProtocol, 3, li->DeviceHandle, &FileSystemProtocol, (void **)&fio); if (EFI_ERROR(rc)) { perror(L"Could not get fio for li->DeviceHandle: %r\n", rc); - return 0; + goto error; } rc = uefi_call_wrapper(fio->OpenVolume, 2, fio, &vh); if (EFI_ERROR(rc)) { perror(L"Could not open fio volume: %r\n", rc); - return 0; + goto error; } rc = uefi_call_wrapper(vh->Open, 5, vh, &fh, L"\\EFI\\BOOT" FALLBACK, @@ -1130,12 +1131,17 @@ should_use_fallback(EFI_HANDLE image_handle) * rc); */ uefi_call_wrapper(vh->Close, 1, vh); - return 0; + goto error; } uefi_call_wrapper(fh->Close, 1, fh); uefi_call_wrapper(vh->Close, 1, vh); - return 1; + ret = 1; +error: + if (bootpath) + FreePool(bootpath); + + return ret; } /* From 3b414422277f5a47c5fdd2d260eff8329d280ce8 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 25 Jun 2014 10:46:52 -0400 Subject: [PATCH 127/163] Explain the logic in secure_mode() better. I was getting confused reading it, and I wrote it, so clearly it needs more commentry. Signed-off-by: Peter Jones --- shim.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/shim.c b/shim.c index 72d6072..210e778 100644 --- a/shim.c +++ b/shim.c @@ -499,6 +499,12 @@ static BOOLEAN secure_mode (void) return FALSE; } + /* If we /do/ have "SecureBoot", but /don't/ have "SetupMode", + * then the implementation is bad, but we assume that secure boot is + * enabled according to the status of "SecureBoot". If we have both + * of them, then "SetupMode" may tell us additional data, and we need + * to consider it. + */ status = get_variable(L"SetupMode", &Data, &len, global_var); if (status != EFI_SUCCESS) return TRUE; From 7a72592b75879542e9ebd808868f83a78bdfbbc6 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Wed, 25 Jun 2014 10:55:12 -0400 Subject: [PATCH 128/163] Check the secure variables with the lib functions There are functions defined in lib to check the secure variables. Use the functions to shun the duplicate code. Signed-off-by: Gary Ching-Pang Lin Conflicts: shim.c --- lib/variables.c | 14 ++++++++++---- shim.c | 32 ++------------------------------ 2 files changed, 12 insertions(+), 34 deletions(-) diff --git a/lib/variables.c b/lib/variables.c index 3a9735e..4c64d7e 100644 --- a/lib/variables.c +++ b/lib/variables.c @@ -284,9 +284,12 @@ variable_is_setupmode(void) /* set to 1 because we return true if SetupMode doesn't exist */ UINT8 SetupMode = 1; UINTN DataSize = sizeof(SetupMode); + EFI_STATUS status; - uefi_call_wrapper(RT->GetVariable, 5, L"SetupMode", &GV_GUID, NULL, - &DataSize, &SetupMode); + status = uefi_call_wrapper(RT->GetVariable, 5, L"SetupMode", &GV_GUID, NULL, + &DataSize, &SetupMode); + if (EFI_ERROR(status)) + return 1; return SetupMode; } @@ -297,10 +300,13 @@ variable_is_secureboot(void) /* return false if variable doesn't exist */ UINT8 SecureBoot = 0; UINTN DataSize; + EFI_STATUS status; DataSize = sizeof(SecureBoot); - uefi_call_wrapper(RT->GetVariable, 5, L"SecureBoot", &GV_GUID, NULL, - &DataSize, &SecureBoot); + status = uefi_call_wrapper(RT->GetVariable, 5, L"SecureBoot", &GV_GUID, NULL, + &DataSize, &SecureBoot); + if (EFI_ERROR(status)) + return 0; return SecureBoot; } diff --git a/shim.c b/shim.c index 210e778..14fb601 100644 --- a/shim.c +++ b/shim.c @@ -475,44 +475,16 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert, static BOOLEAN secure_mode (void) { - EFI_STATUS status; - EFI_GUID global_var = EFI_GLOBAL_VARIABLE; - UINTN len; - UINT8 *Data; - UINT8 sb, setupmode; - if (user_insecure_mode) return FALSE; - status = get_variable(L"SecureBoot", &Data, &len, global_var); - if (status != EFI_SUCCESS) { - if (verbose && !in_protocol) - console_notify(L"Secure boot not enabled"); - return FALSE; - } - sb = *Data; - FreePool(Data); - - if (sb != 1) { + if (variable_is_secureboot() != 1) { if (verbose && !in_protocol) console_notify(L"Secure boot not enabled"); return FALSE; } - /* If we /do/ have "SecureBoot", but /don't/ have "SetupMode", - * then the implementation is bad, but we assume that secure boot is - * enabled according to the status of "SecureBoot". If we have both - * of them, then "SetupMode" may tell us additional data, and we need - * to consider it. - */ - status = get_variable(L"SetupMode", &Data, &len, global_var); - if (status != EFI_SUCCESS) - return TRUE; - - setupmode = *Data; - FreePool(Data); - - if (setupmode == 1) { + if (variable_is_setupmode() == 1) { if (verbose && !in_protocol) console_notify(L"Platform is in setup mode"); return FALSE; From 9ea3d9b401ed73ae95b60e6b566f9293af3ac4d7 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 25 Jun 2014 10:55:56 -0400 Subject: [PATCH 129/163] Make sure we default to assuming we're locked down. If "SecureBoot" exists but "SetupMode" does not, assume "SetupMode" says we're not in Setup Mode. Signed-off-by: Peter Jones --- include/variables.h | 2 +- lib/variables.c | 8 ++++---- shim.c | 8 +++++++- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/include/variables.h b/include/variables.h index b207dbf..deed269 100644 --- a/include/variables.h +++ b/include/variables.h @@ -50,7 +50,7 @@ SETOSIndicationsAndReboot(UINT64 indications); int variable_is_secureboot(void); int -variable_is_setupmode(void); +variable_is_setupmode(int default_return); EFI_STATUS variable_enroll_hash(CHAR16 *var, EFI_GUID owner, UINT8 hash[SHA256_DIGEST_SIZE]); diff --git a/lib/variables.c b/lib/variables.c index 4c64d7e..59d7d05 100644 --- a/lib/variables.c +++ b/lib/variables.c @@ -139,7 +139,7 @@ SetSecureVariable(CHAR16 *var, UINT8 *Data, UINTN len, EFI_GUID owner, /* Microsoft request: Bugs in some UEFI platforms mean that PK or any * other secure variable can be updated or deleted programmatically, * so prevent */ - if (!variable_is_setupmode()) + if (!variable_is_setupmode(1)) return EFI_SECURITY_VIOLATION; if (createtimebased) { @@ -279,17 +279,17 @@ find_in_variable_esl(CHAR16* var, EFI_GUID owner, UINT8 *key, UINTN keylen) } int -variable_is_setupmode(void) +variable_is_setupmode(int default_return) { /* set to 1 because we return true if SetupMode doesn't exist */ - UINT8 SetupMode = 1; + UINT8 SetupMode = default_return; UINTN DataSize = sizeof(SetupMode); EFI_STATUS status; status = uefi_call_wrapper(RT->GetVariable, 5, L"SetupMode", &GV_GUID, NULL, &DataSize, &SetupMode); if (EFI_ERROR(status)) - return 1; + return default_return; return SetupMode; } diff --git a/shim.c b/shim.c index 14fb601..fe73ec1 100644 --- a/shim.c +++ b/shim.c @@ -484,7 +484,13 @@ static BOOLEAN secure_mode (void) return FALSE; } - if (variable_is_setupmode() == 1) { + /* If we /do/ have "SecureBoot", but /don't/ have "SetupMode", + * then the implementation is bad, but we assume that secure boot is + * enabled according to the status of "SecureBoot". If we have both + * of them, then "SetupMode" may tell us additional data, and we need + * to consider it. + */ + if (variable_is_setupmode(0) == 1) { if (verbose && !in_protocol) console_notify(L"Platform is in setup mode"); return FALSE; From 875eb1b9d501d853b2c44f86a32a51b59f85eef9 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Wed, 25 Jun 2014 10:58:23 -0400 Subject: [PATCH 130/163] Simplify the checking of SB and DB states MokSBState and MokDBState are just 1 byte variables, so a UINT8 local variable is sufficient to include the content. Signed-off-by: Gary Ching-Pang Lin Conflicts: shim.c --- shim.c | 26 ++++++++++---------------- 1 file changed, 10 insertions(+), 16 deletions(-) diff --git a/shim.c b/shim.c index fe73ec1..ea8eba8 100644 --- a/shim.c +++ b/shim.c @@ -1609,16 +1609,15 @@ static EFI_STATUS check_mok_sb (void) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS status = EFI_SUCCESS; - UINT8 *MokSBState = NULL; - UINTN MokSBStateSize = 0; + UINT8 MokSBState; + UINTN MokSBStateSize = sizeof(MokSBState); UINT32 attributes; user_insecure_mode = 0; ignore_db = 0; - status = get_variable_attr(L"MokSBState", &MokSBState, &MokSBStateSize, - shim_lock_guid, &attributes); - + status = uefi_call_wrapper(RT->GetVariable, 5, L"MokSBState", &shim_lock_guid, + &attributes, &MokSBStateSize, &MokSBState); if (status != EFI_SUCCESS) return EFI_ACCESS_DENIED; @@ -1633,13 +1632,11 @@ static EFI_STATUS check_mok_sb (void) } status = EFI_ACCESS_DENIED; } else { - if (*(UINT8 *)MokSBState == 1) { + if (MokSBState == 1) { user_insecure_mode = 1; } } - FreePool(MokSBState); - return status; } @@ -1651,13 +1648,12 @@ static EFI_STATUS check_mok_db (void) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS status = EFI_SUCCESS; - UINT8 *MokDBState = NULL; - UINTN MokDBStateSize = 0; + UINT8 MokDBState; + UINTN MokDBStateSize = sizeof(MokDBStateSize); UINT32 attributes; - status = get_variable_attr(L"MokDBState", &MokDBState, &MokDBStateSize, - shim_lock_guid, &attributes); - + status = uefi_call_wrapper(RT->GetVariable, 5, L"MokDBState", &shim_lock_guid, + &attributes, &MokDBStateSize, &MokDBState); if (status != EFI_SUCCESS) return EFI_ACCESS_DENIED; @@ -1674,13 +1670,11 @@ static EFI_STATUS check_mok_db (void) } status = EFI_ACCESS_DENIED; } else { - if (*(UINT8 *)MokDBState == 1) { + if (MokDBState == 1) { ignore_db = 1; } } - FreePool(MokDBState); - return status; } From f9368474dd80b630adf745314b0336c16a35b0ad Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Mon, 14 Jul 2014 09:03:36 -0400 Subject: [PATCH 131/163] Update openssl to 0.9.8za Also update to Tiano Cryptlib r15638 --- Cryptlib/Cryptlib.diff | 4 +- Cryptlib/Include/openssl/bn.h | 11 + Cryptlib/Include/openssl/crypto.h | 37 +- Cryptlib/Include/openssl/ec.h | 10 +- Cryptlib/Include/openssl/engine.h | 8 +- Cryptlib/Include/openssl/opensslv.h | 6 +- Cryptlib/Include/openssl/ssl.h | 13 +- Cryptlib/Include/openssl/ssl3.h | 10 + Cryptlib/Include/openssl/symhacks.h | 10 +- Cryptlib/Include/openssl/tls1.h | 14 + Cryptlib/Makefile | 6 +- Cryptlib/OpenSSL/crypto/asn1/a_int.c | 2 +- Cryptlib/OpenSSL/crypto/asn1/a_strex.c | 1 + Cryptlib/OpenSSL/crypto/asn1/a_strnid.c | 2 +- Cryptlib/OpenSSL/crypto/asn1/a_verify.c | 6 + Cryptlib/OpenSSL/crypto/asn1/t_pkey.c | 5 - Cryptlib/OpenSSL/crypto/asn1/x_pubkey.c | 5 +- Cryptlib/OpenSSL/crypto/bn/bn_lib.c | 52 + Cryptlib/OpenSSL/crypto/bn/bn_mont.c | 50 +- Cryptlib/OpenSSL/crypto/bn/bn_word.c | 25 +- Cryptlib/OpenSSL/crypto/cryptlib.c | 16 + Cryptlib/OpenSSL/crypto/ec/ec2_mult.c | 26 +- Cryptlib/OpenSSL/crypto/ec/ec_key.c | 13 +- Cryptlib/OpenSSL/crypto/ec/ec_lib.c | 10 +- Cryptlib/OpenSSL/crypto/ecdh/ech_lib.c | 11 +- Cryptlib/OpenSSL/crypto/ecdsa/ecs_lib.c | 11 +- Cryptlib/OpenSSL/crypto/engine/eng_all.c | 6 +- Cryptlib/OpenSSL/crypto/err/err_all.c | 2 + Cryptlib/OpenSSL/crypto/evp/bio_b64.c | 3 +- Cryptlib/OpenSSL/crypto/evp/encode.c | 1 + Cryptlib/OpenSSL/crypto/o_init.c | 14 + Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c | 10 +- Cryptlib/OpenSSL/crypto/pkcs12/p12_crt.c | 8 + Cryptlib/OpenSSL/crypto/pkcs12/p12_kiss.c | 2 +- Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c | 4 +- Cryptlib/OpenSSL/crypto/rsa/rsa_oaep.c | 2 +- Cryptlib/OpenSSL/crypto/x509/x509_vfy.c | 6 +- Cryptlib/OpenSSL/update.sh | 998 +++++++++--------- Cryptlib/Pk/CryptPkcs7Sign.c | 207 ++++ Cryptlib/Pk/CryptPkcs7SignNull.c | 59 ++ .../Pk/{CryptPkcs7.c => CryptPkcs7Verify.c} | 306 ++---- Cryptlib/Pk/CryptPkcs7VerifyNull.c | 100 ++ Cryptlib/Pk/CryptRsaExtNull.c | 125 +++ Cryptlib/Rand/CryptRand.c | 11 +- Cryptlib/update.sh | 9 +- 45 files changed, 1427 insertions(+), 810 deletions(-) create mode 100644 Cryptlib/Pk/CryptPkcs7Sign.c create mode 100644 Cryptlib/Pk/CryptPkcs7SignNull.c rename Cryptlib/Pk/{CryptPkcs7.c => CryptPkcs7Verify.c} (74%) create mode 100644 Cryptlib/Pk/CryptPkcs7VerifyNull.c create mode 100644 Cryptlib/Pk/CryptRsaExtNull.c diff --git a/Cryptlib/Cryptlib.diff b/Cryptlib/Cryptlib.diff index 9663d90..a2f49d6 100644 --- a/Cryptlib/Cryptlib.diff +++ b/Cryptlib/Cryptlib.diff @@ -6,8 +6,8 @@ index 68bc25a..1abe78e 100644 // BUG: hardcode OldSize == size! We have no any knowledge about // memory size of original pointer ptr. // -- return ReallocatePool ((UINTN)size, (UINTN)size, ptr); -+ return ReallocatePool (ptr, (UINTN)size, (UINTN)size); +- return ReallocatePool ((UINTN) size, (UINTN) size, ptr); ++ return ReallocatePool (ptr, (UINTN) size, (UINTN) size); } /* De-allocates or frees a memory block */ diff --git a/Cryptlib/Include/openssl/bn.h b/Cryptlib/Include/openssl/bn.h index f1719a5..688a4e7 100644 --- a/Cryptlib/Include/openssl/bn.h +++ b/Cryptlib/Include/openssl/bn.h @@ -511,6 +511,8 @@ BIGNUM *BN_mod_inverse(BIGNUM *ret, BIGNUM *BN_mod_sqrt(BIGNUM *ret, const BIGNUM *a, const BIGNUM *n,BN_CTX *ctx); +void BN_consttime_swap(BN_ULONG swap, BIGNUM *a, BIGNUM *b, int nwords); + /* Deprecated versions */ #ifndef OPENSSL_NO_DEPRECATED BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe, @@ -740,11 +742,20 @@ int RAND_pseudo_bytes(unsigned char *buf,int num); #define bn_fix_top(a) bn_check_top(a) +#define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2) +#define bn_wcheck_size(bn, words) \ + do { \ + const BIGNUM *_bnum2 = (bn); \ + assert(words <= (_bnum2)->dmax && words >= (_bnum2)->top); \ + } while(0) + #else /* !BN_DEBUG */ #define bn_pollute(a) #define bn_check_top(a) #define bn_fix_top(a) bn_correct_top(a) +#define bn_check_size(bn, bits) +#define bn_wcheck_size(bn, words) #endif diff --git a/Cryptlib/Include/openssl/crypto.h b/Cryptlib/Include/openssl/crypto.h index fc1374f..ac0c949 100644 --- a/Cryptlib/Include/openssl/crypto.h +++ b/Cryptlib/Include/openssl/crypto.h @@ -235,15 +235,15 @@ typedef struct openssl_item_st #ifndef OPENSSL_NO_LOCKING #ifndef CRYPTO_w_lock #define CRYPTO_w_lock(type) \ - CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,__FILE__,__LINE__) + CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,NULL,0) #define CRYPTO_w_unlock(type) \ - CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,__FILE__,__LINE__) + CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,NULL,0) #define CRYPTO_r_lock(type) \ - CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,__FILE__,__LINE__) + CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,NULL,0) #define CRYPTO_r_unlock(type) \ - CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,__FILE__,__LINE__) + CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,NULL,0) #define CRYPTO_add(addr,amount,type) \ - CRYPTO_add_lock(addr,amount,type,__FILE__,__LINE__) + CRYPTO_add_lock(addr,amount,type,NULL,0) #endif #else #define CRYPTO_w_lock(a) @@ -361,19 +361,19 @@ int CRYPTO_is_mem_check_on(void); #define MemCheck_off() CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE) #define is_MemCheck_on() CRYPTO_is_mem_check_on() -#define OPENSSL_malloc(num) CRYPTO_malloc((int)num,__FILE__,__LINE__) -#define OPENSSL_strdup(str) CRYPTO_strdup((str),__FILE__,__LINE__) +#define OPENSSL_malloc(num) CRYPTO_malloc((int)num,NULL,0) +#define OPENSSL_strdup(str) CRYPTO_strdup((str),NULL,0) #define OPENSSL_realloc(addr,num) \ - CRYPTO_realloc((char *)addr,(int)num,__FILE__,__LINE__) + CRYPTO_realloc((char *)addr,(int)num,NULL,0) #define OPENSSL_realloc_clean(addr,old_num,num) \ - CRYPTO_realloc_clean(addr,old_num,num,__FILE__,__LINE__) + CRYPTO_realloc_clean(addr,old_num,num,NULL,0) #define OPENSSL_remalloc(addr,num) \ - CRYPTO_remalloc((char **)addr,(int)num,__FILE__,__LINE__) + CRYPTO_remalloc((char **)addr,(int)num,NULL,0) #define OPENSSL_freeFunc CRYPTO_free #define OPENSSL_free(addr) CRYPTO_free(addr) #define OPENSSL_malloc_locked(num) \ - CRYPTO_malloc_locked((int)num,__FILE__,__LINE__) + CRYPTO_malloc_locked((int)num,NULL,0) #define OPENSSL_free_locked(addr) CRYPTO_free_locked(addr) @@ -487,7 +487,7 @@ void CRYPTO_set_mem_debug_options(long bits); long CRYPTO_get_mem_debug_options(void); #define CRYPTO_push_info(info) \ - CRYPTO_push_info_(info, __FILE__, __LINE__); + CRYPTO_push_info_(info, NULL, 0); int CRYPTO_push_info_(const char *info, const char *file, int line); int CRYPTO_pop_info(void); int CRYPTO_remove_all_info(void); @@ -528,17 +528,17 @@ void CRYPTO_mem_leaks_cb(CRYPTO_MEM_LEAK_CB *cb); /* die if we have to */ void OpenSSLDie(const char *file,int line,const char *assertion); -#define OPENSSL_assert(e) (void)((e) ? 0 : (OpenSSLDie(__FILE__, __LINE__, #e),1)) +#define OPENSSL_assert(e) (void)((e) ? 0 : (OpenSSLDie(NULL, 0, #e),1)) unsigned long *OPENSSL_ia32cap_loc(void); #define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc())) int OPENSSL_isservice(void); #ifdef OPENSSL_FIPS -#define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \ +#define FIPS_ERROR_IGNORED(alg) OpenSSLDie(NULL, 0, \ alg " previous FIPS forbidden algorithm error ignored"); -#define FIPS_BAD_ABORT(alg) OpenSSLDie(__FILE__, __LINE__, \ +#define FIPS_BAD_ABORT(alg) OpenSSLDie(NULL, 0, \ #alg " Algorithm forbidden in FIPS mode"); #ifdef OPENSSL_FIPS_STRICT @@ -591,6 +591,13 @@ int OPENSSL_isservice(void); #define OPENSSL_HAVE_INIT 1 void OPENSSL_init(void); +/* CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. It + * takes an amount of time dependent on |len|, but independent of the contents + * of |a| and |b|. Unlike memcmp, it cannot be used to put elements into a + * defined order as the return value when a != b is undefined, other than to be + * non-zero. */ +int CRYPTO_memcmp(const void *a, const void *b, size_t len); + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. diff --git a/Cryptlib/Include/openssl/ec.h b/Cryptlib/Include/openssl/ec.h index 8bc2a23..367307f 100644 --- a/Cryptlib/Include/openssl/ec.h +++ b/Cryptlib/Include/openssl/ec.h @@ -321,7 +321,15 @@ void EC_KEY_set_conv_form(EC_KEY *, point_conversion_form_t); /* functions to set/get method specific data */ void *EC_KEY_get_key_method_data(EC_KEY *, void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)); -void EC_KEY_insert_key_method_data(EC_KEY *, void *data, +/** Sets the key method data of an EC_KEY object, if none has yet been set. + * \param key EC_KEY object + * \param data opaque data to install. + * \param dup_func a function that duplicates |data|. + * \param free_func a function that frees |data|. + * \param clear_free_func a function that wipes and frees |data|. + * \return the previously set data pointer, or NULL if |data| was inserted. + */ +void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data, void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)); /* wrapper functions for the underlying EC_GROUP object */ void EC_KEY_set_asn1_flag(EC_KEY *, int); diff --git a/Cryptlib/Include/openssl/engine.h b/Cryptlib/Include/openssl/engine.h index d4bc1ef..b4e0444 100644 --- a/Cryptlib/Include/openssl/engine.h +++ b/Cryptlib/Include/openssl/engine.h @@ -335,15 +335,15 @@ void ENGINE_load_gmp(void); void ENGINE_load_nuron(void); void ENGINE_load_sureware(void); void ENGINE_load_ubsec(void); -#endif -void ENGINE_load_cryptodev(void); -void ENGINE_load_padlock(void); -void ENGINE_load_builtin_engines(void); #ifdef OPENSSL_SYS_WIN32 #ifndef OPENSSL_NO_CAPIENG void ENGINE_load_capi(void); #endif #endif +#endif +void ENGINE_load_cryptodev(void); +void ENGINE_load_padlock(void); +void ENGINE_load_builtin_engines(void); /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation * "registry" handling. */ diff --git a/Cryptlib/Include/openssl/opensslv.h b/Cryptlib/Include/openssl/opensslv.h index 4a5a5ae..e5ab5c4 100644 --- a/Cryptlib/Include/openssl/opensslv.h +++ b/Cryptlib/Include/openssl/opensslv.h @@ -25,11 +25,11 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x0090817fL +#define OPENSSL_VERSION_NUMBER 0x009081afL #ifdef OPENSSL_FIPS -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8w-fips 23 Apr 2012" +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8za-fips 5 Jun 2014" #else -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8w 23 Apr 2012" +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8za 5 Jun 2014" #endif #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/Cryptlib/Include/openssl/ssl.h b/Cryptlib/Include/openssl/ssl.h index eb50e14..5f2a04e 100644 --- a/Cryptlib/Include/openssl/ssl.h +++ b/Cryptlib/Include/openssl/ssl.h @@ -490,11 +490,14 @@ typedef struct ssl_session_st #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L -#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */ +#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L #define SSL_OP_TLS_D5_BUG 0x00000100L #define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L +/* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */ +#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0 + /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added * in OpenSSL 0.9.6d. Usually (depending on the application protocol) * the workaround is not needed. Unfortunately some broken SSL/TLS @@ -1204,6 +1207,8 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count); #define SSL_AD_CERTIFICATE_UNOBTAINABLE TLS1_AD_CERTIFICATE_UNOBTAINABLE #define SSL_AD_UNRECOGNIZED_NAME TLS1_AD_UNRECOGNIZED_NAME #define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE +#define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE +#define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */ #define SSL_ERROR_NONE 0 #define SSL_ERROR_SSL 1 @@ -1820,6 +1825,7 @@ void ERR_load_SSL_strings(void); #define SSL_F_SSL_GET_NEW_SESSION 181 #define SSL_F_SSL_GET_PREV_SESSION 217 #define SSL_F_SSL_GET_SERVER_SEND_CERT 182 +#define SSL_F_SSL_GET_SERVER_SEND_PKEY 317 #define SSL_F_SSL_GET_SIGN_PKEY 183 #define SSL_F_SSL_INIT_WBIO_BUFFER 184 #define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185 @@ -2073,6 +2079,11 @@ void ERR_load_SSL_strings(void); #define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022 #define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048 #define SSL_R_TLSV1_ALERT_USER_CANCELLED 1090 +#define SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE 1114 +#define SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE 1113 +#define SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE 1111 +#define SSL_R_TLSV1_UNRECOGNIZED_NAME 1112 +#define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110 #define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232 #define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 227 #define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233 diff --git a/Cryptlib/Include/openssl/ssl3.h b/Cryptlib/Include/openssl/ssl3.h index b9a85ef..de5e559 100644 --- a/Cryptlib/Include/openssl/ssl3.h +++ b/Cryptlib/Include/openssl/ssl3.h @@ -333,6 +333,7 @@ typedef struct ssl3_buffer_st #define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002 #define SSL3_FLAGS_POP_BUFFER 0x0004 #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 +#define SSL3_FLAGS_CCS_OK 0x0080 /* SSL3_FLAGS_SGC_RESTART_DONE is set when we * restart a handshake because of MS SGC and so prevents us @@ -460,6 +461,15 @@ typedef struct ssl3_state_st unsigned char previous_server_finished[EVP_MAX_MD_SIZE]; unsigned char previous_server_finished_len; int send_connection_binding; /* TODOEKR */ + +#ifndef OPENSSL_NO_TLSEXT +#ifndef OPENSSL_NO_EC + /* This is set to true if we believe that this is a version of Safari + * running on OS X 10.6 or newer. We wish to know this because Safari + * on 10.8 .. 10.8.3 has broken ECDHE-ECDSA support. */ + char is_probably_safari; +#endif /* !OPENSSL_NO_EC */ +#endif /* !OPENSSL_NO_TLSEXT */ } SSL3_STATE; diff --git a/Cryptlib/Include/openssl/symhacks.h b/Cryptlib/Include/openssl/symhacks.h index 0114093..c540771 100644 --- a/Cryptlib/Include/openssl/symhacks.h +++ b/Cryptlib/Include/openssl/symhacks.h @@ -252,15 +252,15 @@ #define EC_POINT_set_compressed_coordinates_GF2m \ EC_POINT_set_compr_coords_GF2m #undef ec_GF2m_simple_group_clear_finish -#define ec_GF2m_simple_group_clear_finish ec_GF2m_simple_grp_clr_finish +#define ec_GF2m_simple_group_clear_finish ec_GF2m_simple_grp_clr_finish #undef ec_GF2m_simple_group_check_discriminant #define ec_GF2m_simple_group_check_discriminant ec_GF2m_simple_grp_chk_discrim #undef ec_GF2m_simple_point_clear_finish -#define ec_GF2m_simple_point_clear_finish ec_GF2m_simple_pt_clr_finish +#define ec_GF2m_simple_point_clear_finish ec_GF2m_simple_pt_clr_finish #undef ec_GF2m_simple_point_set_to_infinity -#define ec_GF2m_simple_point_set_to_infinity ec_GF2m_simple_pt_set_to_inf +#define ec_GF2m_simple_point_set_to_infinity ec_GF2m_simple_pt_set_to_inf #undef ec_GF2m_simple_points_make_affine -#define ec_GF2m_simple_points_make_affine ec_GF2m_simple_pts_make_affine +#define ec_GF2m_simple_points_make_affine ec_GF2m_simple_pts_make_affine #undef ec_GF2m_simple_point_set_affine_coordinates #define ec_GF2m_simple_point_set_affine_coordinates \ ec_GF2m_smp_pt_set_af_coords @@ -288,8 +288,6 @@ #define ec_GFp_simple_point_set_to_infinity ec_GFp_simple_pt_set_to_inf #undef ec_GFp_simple_points_make_affine #define ec_GFp_simple_points_make_affine ec_GFp_simple_pts_make_affine -#undef ec_GFp_simple_group_get_curve_GFp -#define ec_GFp_simple_group_get_curve_GFp ec_GFp_simple_grp_get_curve_GFp #undef ec_GFp_simple_set_Jprojective_coordinates_GFp #define ec_GFp_simple_set_Jprojective_coordinates_GFp \ ec_GFp_smp_set_Jproj_coords_GFp diff --git a/Cryptlib/Include/openssl/tls1.h b/Cryptlib/Include/openssl/tls1.h index afe4807..47f25af 100644 --- a/Cryptlib/Include/openssl/tls1.h +++ b/Cryptlib/Include/openssl/tls1.h @@ -80,10 +80,24 @@ extern "C" { #define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0 +#define TLS1_2_VERSION 0x0303 +#define TLS1_2_VERSION_MAJOR 0x03 +#define TLS1_2_VERSION_MINOR 0x03 + +#define TLS1_1_VERSION 0x0302 +#define TLS1_1_VERSION_MAJOR 0x03 +#define TLS1_1_VERSION_MINOR 0x02 + #define TLS1_VERSION 0x0301 #define TLS1_VERSION_MAJOR 0x03 #define TLS1_VERSION_MINOR 0x01 +#define TLS1_get_version(s) \ + ((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0) + +#define TLS1_get_client_version(s) \ + ((s->client_version >> 8) == TLS1_VERSION_MAJOR ? s->client_version : 0) + #define TLS1_AD_DECRYPTION_FAILED 21 #define TLS1_AD_RECORD_OVERFLOW 22 #define TLS1_AD_UNKNOWN_CA 48 /* fatal */ diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile index d24e59e..678baac 100644 --- a/Cryptlib/Makefile +++ b/Cryptlib/Makefile @@ -30,7 +30,11 @@ OBJS = Hash/CryptMd4.o \ Rand/CryptRand.o \ Pk/CryptRsaBasic.o \ Pk/CryptRsaExt.o \ - Pk/CryptPkcs7.o \ + Pk/CryptRsaExtNull.o \ + Pk/CryptPkcs7Sign.o \ + Pk/CryptPkcs7SignNull.o \ + Pk/CryptPkcs7Verify.o \ + Pk/CryptPkcs7VerifyNull.o \ Pk/CryptDh.o \ Pk/CryptX509.o \ Pk/CryptAuthenticode.o \ diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_int.c b/Cryptlib/OpenSSL/crypto/asn1/a_int.c index f551bdb..ee26c31 100755 --- a/Cryptlib/OpenSSL/crypto/asn1/a_int.c +++ b/Cryptlib/OpenSSL/crypto/asn1/a_int.c @@ -116,7 +116,7 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp) int pad=0,ret,i,neg; unsigned char *p,*n,pb=0; - if ((a == NULL) || (a->data == NULL)) return(0); + if (a == NULL) return(0); neg=a->type & V_ASN1_NEG; if (a->length == 0) ret=1; diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_strex.c b/Cryptlib/OpenSSL/crypto/asn1/a_strex.c index 264ebf2..ead37ac 100755 --- a/Cryptlib/OpenSSL/crypto/asn1/a_strex.c +++ b/Cryptlib/OpenSSL/crypto/asn1/a_strex.c @@ -567,6 +567,7 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in) if(mbflag == -1) return -1; mbflag |= MBSTRING_FLAG; stmp.data = NULL; + stmp.length = 0; ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING); if(ret < 0) return ret; *out = stmp.data; diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_strnid.c b/Cryptlib/OpenSSL/crypto/asn1/a_strnid.c index b68ae43..9b7d688 100755 --- a/Cryptlib/OpenSSL/crypto/asn1/a_strnid.c +++ b/Cryptlib/OpenSSL/crypto/asn1/a_strnid.c @@ -75,7 +75,7 @@ static int table_cmp(const void *a, const void *b); * certain software (e.g. Netscape) has problems with them. */ -static unsigned long global_mask = 0xFFFFFFFFL; +static unsigned long global_mask = B_ASN1_UTF8STRING; void ASN1_STRING_set_default_mask(unsigned long mask) { diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_verify.c b/Cryptlib/OpenSSL/crypto/asn1/a_verify.c index da3efaa..7ded69b 100755 --- a/Cryptlib/OpenSSL/crypto/asn1/a_verify.c +++ b/Cryptlib/OpenSSL/crypto/asn1/a_verify.c @@ -138,6 +138,12 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat unsigned char *buf_in=NULL; int ret= -1,i,inl; + if (!pkey) + { + ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_PASSED_NULL_PARAMETER); + return -1; + } + EVP_MD_CTX_init(&ctx); i=OBJ_obj2nid(a->algorithm); type=EVP_get_digestbyname(OBJ_nid2sn(i)); diff --git a/Cryptlib/OpenSSL/crypto/asn1/t_pkey.c b/Cryptlib/OpenSSL/crypto/asn1/t_pkey.c index afb95d6..bc23f56 100755 --- a/Cryptlib/OpenSSL/crypto/asn1/t_pkey.c +++ b/Cryptlib/OpenSSL/crypto/asn1/t_pkey.c @@ -208,11 +208,6 @@ int DSA_print(BIO *bp, const DSA *x, int off) if (x->p) buf_len = (size_t)BN_num_bytes(x->p); - else - { - DSAerr(DSA_F_DSA_PRINT,DSA_R_MISSING_PARAMETERS); - goto err; - } if (x->q) if (buf_len < (i = (size_t)BN_num_bytes(x->q))) buf_len = i; diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_pubkey.c b/Cryptlib/OpenSSL/crypto/asn1/x_pubkey.c index 94d9f7e..bc8a7bf 100755 --- a/Cryptlib/OpenSSL/crypto/asn1/x_pubkey.c +++ b/Cryptlib/OpenSSL/crypto/asn1/x_pubkey.c @@ -371,12 +371,15 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key) CRYPTO_w_lock(CRYPTO_LOCK_EVP_PKEY); if (key->pkey) { + CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); EVP_PKEY_free(ret); ret = key->pkey; } else + { key->pkey = ret; - CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); + CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); + } CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_EVP_PKEY); return(ret); err: diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_lib.c b/Cryptlib/OpenSSL/crypto/bn/bn_lib.c index 32a8fba..b66f507 100755 --- a/Cryptlib/OpenSSL/crypto/bn/bn_lib.c +++ b/Cryptlib/OpenSSL/crypto/bn/bn_lib.c @@ -824,3 +824,55 @@ int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, } return bn_cmp_words(a,b,cl); } + +/* + * Constant-time conditional swap of a and b. + * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set. + * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b, + * and that no more than nwords are used by either a or b. + * a and b cannot be the same number + */ +void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords) + { + BN_ULONG t; + int i; + + bn_wcheck_size(a, nwords); + bn_wcheck_size(b, nwords); + + assert(a != b); + assert((condition & (condition - 1)) == 0); + assert(sizeof(BN_ULONG) >= sizeof(int)); + + condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1; + + t = (a->top^b->top) & condition; + a->top ^= t; + b->top ^= t; + +#define BN_CONSTTIME_SWAP(ind) \ + do { \ + t = (a->d[ind] ^ b->d[ind]) & condition; \ + a->d[ind] ^= t; \ + b->d[ind] ^= t; \ + } while (0) + + + switch (nwords) { + default: + for (i = 10; i < nwords; i++) + BN_CONSTTIME_SWAP(i); + /* Fallthrough */ + case 10: BN_CONSTTIME_SWAP(9); /* Fallthrough */ + case 9: BN_CONSTTIME_SWAP(8); /* Fallthrough */ + case 8: BN_CONSTTIME_SWAP(7); /* Fallthrough */ + case 7: BN_CONSTTIME_SWAP(6); /* Fallthrough */ + case 6: BN_CONSTTIME_SWAP(5); /* Fallthrough */ + case 5: BN_CONSTTIME_SWAP(4); /* Fallthrough */ + case 4: BN_CONSTTIME_SWAP(3); /* Fallthrough */ + case 3: BN_CONSTTIME_SWAP(2); /* Fallthrough */ + case 2: BN_CONSTTIME_SWAP(1); /* Fallthrough */ + case 1: BN_CONSTTIME_SWAP(0); + } +#undef BN_CONSTTIME_SWAP +} diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_mont.c b/Cryptlib/OpenSSL/crypto/bn/bn_mont.c index 4799b15..27cafb1 100755 --- a/Cryptlib/OpenSSL/crypto/bn/bn_mont.c +++ b/Cryptlib/OpenSSL/crypto/bn/bn_mont.c @@ -701,32 +701,38 @@ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from) BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock, const BIGNUM *mod, BN_CTX *ctx) { - int got_write_lock = 0; BN_MONT_CTX *ret; CRYPTO_r_lock(lock); - if (!*pmont) - { - CRYPTO_r_unlock(lock); - CRYPTO_w_lock(lock); - got_write_lock = 1; - - if (!*pmont) - { - ret = BN_MONT_CTX_new(); - if (ret && !BN_MONT_CTX_set(ret, mod, ctx)) - BN_MONT_CTX_free(ret); - else - *pmont = ret; - } - } - ret = *pmont; - - if (got_write_lock) - CRYPTO_w_unlock(lock); + CRYPTO_r_unlock(lock); + if (ret) + return ret; + + /* We don't want to serialise globally while doing our lazy-init math in + * BN_MONT_CTX_set. That punishes threads that are doing independent + * things. Instead, punish the case where more than one thread tries to + * lazy-init the same 'pmont', by having each do the lazy-init math work + * independently and only use the one from the thread that wins the race + * (the losers throw away the work they've done). */ + ret = BN_MONT_CTX_new(); + if (!ret) + return NULL; + if (!BN_MONT_CTX_set(ret, mod, ctx)) + { + BN_MONT_CTX_free(ret); + return NULL; + } + + /* The locked compare-and-set, after the local work is done. */ + CRYPTO_w_lock(lock); + if (*pmont) + { + BN_MONT_CTX_free(ret); + ret = *pmont; + } else - CRYPTO_r_unlock(lock); - + *pmont = ret; + CRYPTO_w_unlock(lock); return ret; } diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_word.c b/Cryptlib/OpenSSL/crypto/bn/bn_word.c index ee7b87c..de83a15 100755 --- a/Cryptlib/OpenSSL/crypto/bn/bn_word.c +++ b/Cryptlib/OpenSSL/crypto/bn/bn_word.c @@ -144,26 +144,17 @@ int BN_add_word(BIGNUM *a, BN_ULONG w) a->neg=!(a->neg); return(i); } - /* Only expand (and risk failing) if it's possibly necessary */ - if (((BN_ULONG)(a->d[a->top - 1] + 1) == 0) && - (bn_wexpand(a,a->top+1) == NULL)) - return(0); - i=0; - for (;;) + for (i=0;w!=0 && itop;i++) { - if (i >= a->top) - l=w; - else - l=(a->d[i]+w)&BN_MASK2; - a->d[i]=l; - if (w > l) - w=1; - else - break; - i++; + a->d[i] = l = (a->d[i]+w)&BN_MASK2; + w = (w>l)?1:0; } - if (i >= a->top) + if (w && i==a->top) + { + if (bn_wexpand(a,a->top+1) == NULL) return 0; a->top++; + a->d[i]=w; + } bn_check_top(a); return(1); } diff --git a/Cryptlib/OpenSSL/crypto/cryptlib.c b/Cryptlib/OpenSSL/crypto/cryptlib.c index dd74ea8..dec3286 100755 --- a/Cryptlib/OpenSSL/crypto/cryptlib.c +++ b/Cryptlib/OpenSSL/crypto/cryptlib.c @@ -542,3 +542,19 @@ void OpenSSLDie(const char *file,int line,const char *assertion) } void *OPENSSL_stderr(void) { return stderr; } + +#ifndef OPENSSL_FIPS + +int CRYPTO_memcmp(const void *in_a, const void *in_b, size_t len) + { + size_t i; + const unsigned char *a = in_a; + const unsigned char *b = in_b; + unsigned char x = 0; + + for (i = 0; i < len; i++) + x |= a[i] ^ b[i]; + + return x; + } +#endif diff --git a/Cryptlib/OpenSSL/crypto/ec/ec2_mult.c b/Cryptlib/OpenSSL/crypto/ec/ec2_mult.c index 7dca5e4..6b570a3 100755 --- a/Cryptlib/OpenSSL/crypto/ec/ec2_mult.c +++ b/Cryptlib/OpenSSL/crypto/ec/ec2_mult.c @@ -208,9 +208,12 @@ static int gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIG /* Computes scalar*point and stores the result in r. * point can not equal r. - * Uses algorithm 2P of + * Uses a modified algorithm 2P of * Lopex, J. and Dahab, R. "Fast multiplication on elliptic curves over * GF(2^m) without precomputation". + * + * To protect against side-channel attack the function uses constant time + * swap avoiding conditional branches. */ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, const EC_POINT *point, BN_CTX *ctx) @@ -244,6 +247,11 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, x2 = &r->X; z2 = &r->Y; + bn_wexpand(x1, group->field.top); + bn_wexpand(z1, group->field.top); + bn_wexpand(x2, group->field.top); + bn_wexpand(z2, group->field.top); + if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) goto err; /* x1 = x */ if (!BN_one(z1)) goto err; /* z1 = 1 */ if (!group->meth->field_sqr(group, z2, x1, ctx)) goto err; /* z2 = x1^2 = x^2 */ @@ -266,16 +274,12 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, { for (; j >= 0; j--) { - if (scalar->d[i] & mask) - { - if (!gf2m_Madd(group, &point->X, x1, z1, x2, z2, ctx)) goto err; - if (!gf2m_Mdouble(group, x2, z2, ctx)) goto err; - } - else - { - if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err; - if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err; - } + BN_consttime_swap(scalar->d[i] & mask, x1, x2, group->field.top); + BN_consttime_swap(scalar->d[i] & mask, z1, z2, group->field.top); + if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err; + if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err; + BN_consttime_swap(scalar->d[i] & mask, x1, x2, group->field.top); + BN_consttime_swap(scalar->d[i] & mask, z1, z2, group->field.top); mask >>= 1; } j = BN_BITS2 - 1; diff --git a/Cryptlib/OpenSSL/crypto/ec/ec_key.c b/Cryptlib/OpenSSL/crypto/ec/ec_key.c index 522802c..6c933d2 100755 --- a/Cryptlib/OpenSSL/crypto/ec/ec_key.c +++ b/Cryptlib/OpenSSL/crypto/ec/ec_key.c @@ -435,18 +435,27 @@ void EC_KEY_set_conv_form(EC_KEY *key, point_conversion_form_t cform) void *EC_KEY_get_key_method_data(EC_KEY *key, void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)) { - return EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func); + void *ret; + + CRYPTO_r_lock(CRYPTO_LOCK_EC); + ret = EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func); + CRYPTO_r_unlock(CRYPTO_LOCK_EC); + + return ret; } -void EC_KEY_insert_key_method_data(EC_KEY *key, void *data, +void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data, void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)) { EC_EXTRA_DATA *ex_data; + CRYPTO_w_lock(CRYPTO_LOCK_EC); ex_data = EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func); if (ex_data == NULL) EC_EX_DATA_set_data(&key->method_data, data, dup_func, free_func, clear_free_func); CRYPTO_w_unlock(CRYPTO_LOCK_EC); + + return ex_data; } void EC_KEY_set_asn1_flag(EC_KEY *key, int flag) diff --git a/Cryptlib/OpenSSL/crypto/ec/ec_lib.c b/Cryptlib/OpenSSL/crypto/ec/ec_lib.c index 5af8437..bbf2799 100755 --- a/Cryptlib/OpenSSL/crypto/ec/ec_lib.c +++ b/Cryptlib/OpenSSL/crypto/ec/ec_lib.c @@ -480,10 +480,10 @@ int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ctx) if (EC_METHOD_get_field_type(EC_GROUP_method_of(a)) != EC_METHOD_get_field_type(EC_GROUP_method_of(b))) return 1; - /* compare the curve name (if present) */ + /* compare the curve name (if present in both) */ if (EC_GROUP_get_curve_name(a) && EC_GROUP_get_curve_name(b) && - EC_GROUP_get_curve_name(a) == EC_GROUP_get_curve_name(b)) - return 0; + EC_GROUP_get_curve_name(a) != EC_GROUP_get_curve_name(b)) + return 1; if (!ctx) ctx_new = ctx = BN_CTX_new(); @@ -1061,12 +1061,12 @@ int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN if (group->meth->point_cmp == 0) { ECerr(EC_F_EC_POINT_CMP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; + return -1; } if ((group->meth != a->meth) || (a->meth != b->meth)) { ECerr(EC_F_EC_POINT_CMP, EC_R_INCOMPATIBLE_OBJECTS); - return 0; + return -1; } return group->meth->point_cmp(group, a, b, ctx); } diff --git a/Cryptlib/OpenSSL/crypto/ecdh/ech_lib.c b/Cryptlib/OpenSSL/crypto/ecdh/ech_lib.c index bf22234..f9ba5fb 100755 --- a/Cryptlib/OpenSSL/crypto/ecdh/ech_lib.c +++ b/Cryptlib/OpenSSL/crypto/ecdh/ech_lib.c @@ -205,8 +205,15 @@ ECDH_DATA *ecdh_check(EC_KEY *key) ecdh_data = (ECDH_DATA *)ecdh_data_new(); if (ecdh_data == NULL) return NULL; - EC_KEY_insert_key_method_data(key, (void *)ecdh_data, - ecdh_data_dup, ecdh_data_free, ecdh_data_free); + data = EC_KEY_insert_key_method_data(key, (void *)ecdh_data, + ecdh_data_dup, ecdh_data_free, ecdh_data_free); + if (data != NULL) + { + /* Another thread raced us to install the key_method + * data and won. */ + ecdh_data_free(ecdh_data); + ecdh_data = (ECDH_DATA *)data; + } } else ecdh_data = (ECDH_DATA *)data; diff --git a/Cryptlib/OpenSSL/crypto/ecdsa/ecs_lib.c b/Cryptlib/OpenSSL/crypto/ecdsa/ecs_lib.c index 2ebae3a..81082c9 100755 --- a/Cryptlib/OpenSSL/crypto/ecdsa/ecs_lib.c +++ b/Cryptlib/OpenSSL/crypto/ecdsa/ecs_lib.c @@ -188,8 +188,15 @@ ECDSA_DATA *ecdsa_check(EC_KEY *key) ecdsa_data = (ECDSA_DATA *)ecdsa_data_new(); if (ecdsa_data == NULL) return NULL; - EC_KEY_insert_key_method_data(key, (void *)ecdsa_data, - ecdsa_data_dup, ecdsa_data_free, ecdsa_data_free); + data = EC_KEY_insert_key_method_data(key, (void *)ecdsa_data, + ecdsa_data_dup, ecdsa_data_free, ecdsa_data_free); + if (data != NULL) + { + /* Another thread raced us to install the key_method + * data and won. */ + ecdsa_data_free(ecdsa_data); + ecdsa_data = (ECDSA_DATA *)data; + } } else ecdsa_data = (ECDSA_DATA *)data; diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_all.c b/Cryptlib/OpenSSL/crypto/engine/eng_all.c index f29c167..8a1b9c7 100755 --- a/Cryptlib/OpenSSL/crypto/engine/eng_all.c +++ b/Cryptlib/OpenSSL/crypto/engine/eng_all.c @@ -102,14 +102,14 @@ void ENGINE_load_builtin_engines(void) #if !defined(OPENSSL_NO_GMP) && !defined(OPENSSL_NO_HW_GMP) ENGINE_load_gmp(); #endif +#if defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_NO_CAPIENG) + ENGINE_load_capi(); +#endif #endif #ifndef OPENSSL_NO_HW #if defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV) ENGINE_load_cryptodev(); #endif -#if defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_NO_CAPIENG) - ENGINE_load_capi(); -#endif #endif } diff --git a/Cryptlib/OpenSSL/crypto/err/err_all.c b/Cryptlib/OpenSSL/crypto/err/err_all.c index 39796f7..0429389 100755 --- a/Cryptlib/OpenSSL/crypto/err/err_all.c +++ b/Cryptlib/OpenSSL/crypto/err/err_all.c @@ -104,7 +104,9 @@ #ifndef OPENSSL_NO_JPAKE #include #endif +#ifndef OPENSSL_NO_COMP #include +#endif void ERR_load_crypto_strings(void) { diff --git a/Cryptlib/OpenSSL/crypto/evp/bio_b64.c b/Cryptlib/OpenSSL/crypto/evp/bio_b64.c index 72a2a67..16863fe 100755 --- a/Cryptlib/OpenSSL/crypto/evp/bio_b64.c +++ b/Cryptlib/OpenSSL/crypto/evp/bio_b64.c @@ -226,6 +226,7 @@ static int b64_read(BIO *b, char *out, int outl) else if (ctx->start) { q=p=(unsigned char *)ctx->tmp; + num = 0; for (j=0; j v) { rv=-1; goto end; } ret+=(v-eof); } else diff --git a/Cryptlib/OpenSSL/crypto/o_init.c b/Cryptlib/OpenSSL/crypto/o_init.c index d767a90..c89fda5 100755 --- a/Cryptlib/OpenSSL/crypto/o_init.c +++ b/Cryptlib/OpenSSL/crypto/o_init.c @@ -93,4 +93,18 @@ void OPENSSL_init(void) #endif } +#ifdef OPENSSL_FIPS +int CRYPTO_memcmp(const void *in_a, const void *in_b, size_t len) + { + size_t i; + const unsigned char *a = in_a; + const unsigned char *b = in_b; + unsigned char x = 0; + + for (i = 0; i < len; i++) + x |= a[i] ^ b[i]; + + return x; + } +#endif diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c index 4a0c387..f24080f 100755 --- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c +++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c @@ -91,9 +91,12 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, { EVP_PKEY *skey; skey = X509_get_pubkey(signer); - ret = OCSP_BASICRESP_verify(bs, skey, 0); - EVP_PKEY_free(skey); - if(ret <= 0) + if (skey) + { + ret = OCSP_BASICRESP_verify(bs, skey, 0); + EVP_PKEY_free(skey); + } + if(!skey || ret <= 0) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE); goto end; @@ -108,6 +111,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs); if(!init_res) { + ret = -1; OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB); goto end; } diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_crt.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_crt.c index 9522342..3ef3be1 100755 --- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_crt.c +++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_crt.c @@ -100,7 +100,11 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; else #endif +#ifdef OPENSSL_NO_RC2 + nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; +#else nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC; +#endif } if (!nid_key) nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; @@ -290,7 +294,11 @@ int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags, free_safes = 0; if (nid_safe == 0) +#ifdef OPENSSL_NO_RC2 + nid_safe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; +#else nid_safe = NID_pbe_WithSHA1And40BitRC2_CBC; +#endif if (nid_safe == -1) p7 = PKCS12_pack_p7data(bags); diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_kiss.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_kiss.c index 5c4c6ec..bdbbbec 100755 --- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_kiss.c +++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_kiss.c @@ -261,7 +261,7 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen, int len, r; unsigned char *data; len = ASN1_STRING_to_UTF8(&data, fname); - if(len > 0) { + if(len >= 0) { r = X509_alias_set1(x509, data, len); OPENSSL_free(data); if (!r) diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c index b0ff89a..49b450d 100755 --- a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c +++ b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c @@ -290,8 +290,8 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, bufsiz = 4096; buf = OPENSSL_malloc (bufsiz); - if (buf == NULL) { - goto err; + if (buf == NULL) { + goto err; } /* We now have to 'read' from p7bio to calculate digests etc. */ diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_oaep.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_oaep.c index 546ae5f..b8e3edc 100755 --- a/Cryptlib/OpenSSL/crypto/rsa/rsa_oaep.c +++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_oaep.c @@ -143,7 +143,7 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL); - if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad) + if (CRYPTO_memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad) goto decoding_err; else { diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c b/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c index af12520..b87617a 100755 --- a/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c +++ b/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c @@ -386,11 +386,7 @@ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) static int check_chain_extensions(X509_STORE_CTX *ctx) { -#if defined(OPENSSL_NO_CHAIN_VERIFY) || defined(OPENSSL_SYS_UEFI) - /* - NOTE: Bypass KU Flags Checking for UEFI version. There are incorrect KU flag setting - in Authenticode Signing Certificates. - */ +#ifdef OPENSSL_NO_CHAIN_VERIFY return 1; #else int i, ok=0, must_be_ca, plen = 0; diff --git a/Cryptlib/OpenSSL/update.sh b/Cryptlib/OpenSSL/update.sh index cb25ccd..95875e7 100755 --- a/Cryptlib/OpenSSL/update.sh +++ b/Cryptlib/OpenSSL/update.sh @@ -1,499 +1,501 @@ #/bin/sh -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/e_os.h e_os.h -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/cryptlib.c crypto/cryptlib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dyn_lck.c crypto/dyn_lck.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/mem.c crypto/mem.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/mem_clr.c crypto/mem_clr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/mem_dbg.c crypto/mem_dbg.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/cversion.c crypto/cversion.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ex_data.c crypto/ex_data.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/cpt_err.c crypto/cpt_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ebcdic.c crypto/ebcdic.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/uid.c crypto/uid.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/o_time.c crypto/o_time.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/o_str.c crypto/o_str.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/o_dir.c crypto/o_dir.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/o_init.c crypto/o_init.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/fips_err.c crypto/fips_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/md2/md2_dgst.c crypto/md2/md2_dgst.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/md2/md2_one.c crypto/md2/md2_one.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/md4/md4_dgst.c crypto/md4/md4_dgst.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/md4/md4_one.c crypto/md4/md4_one.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/md5/md5_dgst.c crypto/md5/md5_dgst.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/md5/md5_one.c crypto/md5/md5_one.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/sha/sha_dgst.c crypto/sha/sha_dgst.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/sha/sha1dgst.c crypto/sha/sha1dgst.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/sha/sha_one.c crypto/sha/sha_one.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/sha/sha1_one.c crypto/sha/sha1_one.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/sha/sha256.c crypto/sha/sha256.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/sha/sha512.c crypto/sha/sha512.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/hmac/hmac.c crypto/hmac/hmac.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ripemd/rmd_dgst.c crypto/ripemd/rmd_dgst.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ripemd/rmd_one.c crypto/ripemd/rmd_one.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/des_lib.c crypto/des/des_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/set_key.c crypto/des/set_key.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/ecb_enc.c crypto/des/ecb_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/cbc_enc.c crypto/des/cbc_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/ecb3_enc.c crypto/des/ecb3_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/cfb64enc.c crypto/des/cfb64enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/cfb64ede.c crypto/des/cfb64ede.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/cfb_enc.c crypto/des/cfb_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/ofb64ede.c crypto/des/ofb64ede.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/enc_read.c crypto/des/enc_read.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/enc_writ.c crypto/des/enc_writ.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/ofb64enc.c crypto/des/ofb64enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/ofb_enc.c crypto/des/ofb_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/str2key.c crypto/des/str2key.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/pcbc_enc.c crypto/des/pcbc_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/qud_cksm.c crypto/des/qud_cksm.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/rand_key.c crypto/des/rand_key.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/des_enc.c crypto/des/des_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/fcrypt_b.c crypto/des/fcrypt_b.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/fcrypt.c crypto/des/fcrypt.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/xcbc_enc.c crypto/des/xcbc_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/rpc_enc.c crypto/des/rpc_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/cbc_cksm.c crypto/des/cbc_cksm.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/ede_cbcm_enc.c crypto/des/ede_cbcm_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/des_old.c crypto/des/des_old.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/des_old2.c crypto/des/des_old2.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/des/read2pwd.c crypto/des/read2pwd.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rc2/rc2_ecb.c crypto/rc2/rc2_ecb.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rc2/rc2_skey.c crypto/rc2/rc2_skey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rc2/rc2_cbc.c crypto/rc2/rc2_cbc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rc2/rc2cfb64.c crypto/rc2/rc2cfb64.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rc2/rc2ofb64.c crypto/rc2/rc2ofb64.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rc4/rc4_enc.c crypto/rc4/rc4_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rc4/rc4_skey.c crypto/rc4/rc4_skey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rc4/rc4_fblk.c crypto/rc4/rc4_fblk.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/idea/i_cbc.c crypto/idea/i_cbc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/idea/i_cfb64.c crypto/idea/i_cfb64.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/idea/i_ofb64.c crypto/idea/i_ofb64.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/idea/i_ecb.c crypto/idea/i_ecb.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/idea/i_skey.c crypto/idea/i_skey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bf/bf_skey.c crypto/bf/bf_skey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bf/bf_ecb.c crypto/bf/bf_ecb.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bf/bf_enc.c crypto/bf/bf_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bf/bf_cfb64.c crypto/bf/bf_cfb64.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bf/bf_ofb64.c crypto/bf/bf_ofb64.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/cast/c_skey.c crypto/cast/c_skey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/cast/c_ecb.c crypto/cast/c_ecb.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/cast/c_enc.c crypto/cast/c_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/cast/c_cfb64.c crypto/cast/c_cfb64.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/cast/c_ofb64.c crypto/cast/c_ofb64.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/aes/aes_misc.c crypto/aes/aes_misc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/aes/aes_ecb.c crypto/aes/aes_ecb.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/aes/aes_cfb.c crypto/aes/aes_cfb.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/aes/aes_ofb.c crypto/aes/aes_ofb.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/aes/aes_ctr.c crypto/aes/aes_ctr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/aes/aes_ige.c crypto/aes/aes_ige.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/aes/aes_wrap.c crypto/aes/aes_wrap.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/aes/aes_core.c crypto/aes/aes_core.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/aes/aes_cbc.c crypto/aes/aes_cbc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_add.c crypto/bn/bn_add.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_div.c crypto/bn/bn_div.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_exp.c crypto/bn/bn_exp.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_lib.c crypto/bn/bn_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_ctx.c crypto/bn/bn_ctx.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_mul.c crypto/bn/bn_mul.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_mod.c crypto/bn/bn_mod.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_print.c crypto/bn/bn_print.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_rand.c crypto/bn/bn_rand.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_shift.c crypto/bn/bn_shift.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_word.c crypto/bn/bn_word.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_blind.c crypto/bn/bn_blind.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_kron.c crypto/bn/bn_kron.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_sqrt.c crypto/bn/bn_sqrt.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_gcd.c crypto/bn/bn_gcd.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_prime.c crypto/bn/bn_prime.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_err.c crypto/bn/bn_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_sqr.c crypto/bn/bn_sqr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_asm.c crypto/bn/bn_asm.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_recp.c crypto/bn/bn_recp.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_mont.c crypto/bn/bn_mont.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_mpi.c crypto/bn/bn_mpi.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_exp2.c crypto/bn/bn_exp2.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_gf2m.c crypto/bn/bn_gf2m.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_nist.c crypto/bn/bn_nist.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_depr.c crypto/bn/bn_depr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_x931p.c crypto/bn/bn_x931p.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_const.c crypto/bn/bn_const.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bn/bn_opt.c crypto/bn/bn_opt.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_eay.c crypto/rsa/rsa_eay.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_gen.c crypto/rsa/rsa_gen.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_lib.c crypto/rsa/rsa_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_sign.c crypto/rsa/rsa_sign.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_saos.c crypto/rsa/rsa_saos.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_err.c crypto/rsa/rsa_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_pk1.c crypto/rsa/rsa_pk1.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_ssl.c crypto/rsa/rsa_ssl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_none.c crypto/rsa/rsa_none.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_oaep.c crypto/rsa/rsa_oaep.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_chk.c crypto/rsa/rsa_chk.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_null.c crypto/rsa/rsa_null.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_pss.c crypto/rsa/rsa_pss.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_x931.c crypto/rsa/rsa_x931.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_x931g.c crypto/rsa/rsa_x931g.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_asn1.c crypto/rsa/rsa_asn1.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_depr.c crypto/rsa/rsa_depr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rsa/rsa_eng.c crypto/rsa/rsa_eng.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dsa/dsa_gen.c crypto/dsa/dsa_gen.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dsa/dsa_key.c crypto/dsa/dsa_key.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dsa/dsa_lib.c crypto/dsa/dsa_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dsa/dsa_asn1.c crypto/dsa/dsa_asn1.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dsa/dsa_vrf.c crypto/dsa/dsa_vrf.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dsa/dsa_sign.c crypto/dsa/dsa_sign.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dsa/dsa_err.c crypto/dsa/dsa_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dsa/dsa_ossl.c crypto/dsa/dsa_ossl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dsa/dsa_depr.c crypto/dsa/dsa_depr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dsa/dsa_utl.c crypto/dsa/dsa_utl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dso/dso_dl.c crypto/dso/dso_dl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dso/dso_dlfcn.c crypto/dso/dso_dlfcn.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dso/dso_err.c crypto/dso/dso_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dso/dso_lib.c crypto/dso/dso_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dso/dso_null.c crypto/dso/dso_null.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dso/dso_openssl.c crypto/dso/dso_openssl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dso/dso_win32.c crypto/dso/dso_win32.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dso/dso_vms.c crypto/dso/dso_vms.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dh/dh_asn1.c crypto/dh/dh_asn1.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dh/dh_gen.c crypto/dh/dh_gen.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dh/dh_key.c crypto/dh/dh_key.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dh/dh_lib.c crypto/dh/dh_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dh/dh_check.c crypto/dh/dh_check.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dh/dh_err.c crypto/dh/dh_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/dh/dh_depr.c crypto/dh/dh_depr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ec_lib.c crypto/ec/ec_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ecp_smpl.c crypto/ec/ecp_smpl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ecp_mont.c crypto/ec/ecp_mont.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ecp_nist.c crypto/ec/ecp_nist.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ec_cvt.c crypto/ec/ec_cvt.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ec_mult.c crypto/ec/ec_mult.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ec_err.c crypto/ec/ec_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ec_curve.c crypto/ec/ec_curve.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ec_check.c crypto/ec/ec_check.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ec_print.c crypto/ec/ec_print.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ec_asn1.c crypto/ec/ec_asn1.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ec_key.c crypto/ec/ec_key.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ec2_smpl.c crypto/ec/ec2_smpl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ec/ec2_mult.c crypto/ec/ec2_mult.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ecdh/ech_lib.c crypto/ecdh/ech_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ecdh/ech_ossl.c crypto/ecdh/ech_ossl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ecdh/ech_key.c crypto/ecdh/ech_key.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ecdh/ech_err.c crypto/ecdh/ech_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ecdsa/ecs_lib.c crypto/ecdsa/ecs_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ecdsa/ecs_asn1.c crypto/ecdsa/ecs_asn1.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ecdsa/ecs_ossl.c crypto/ecdsa/ecs_ossl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ecdsa/ecs_sign.c crypto/ecdsa/ecs_sign.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ecdsa/ecs_vrf.c crypto/ecdsa/ecs_vrf.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ecdsa/ecs_err.c crypto/ecdsa/ecs_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/buffer/buffer.c crypto/buffer/buffer.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/buffer/buf_str.c crypto/buffer/buf_str.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/buffer/buf_err.c crypto/buffer/buf_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/bio_lib.c crypto/bio/bio_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/bio_cb.c crypto/bio/bio_cb.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/bio_err.c crypto/bio/bio_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/bss_mem.c crypto/bio/bss_mem.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/bss_null.c crypto/bio/bss_null.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/bss_fd.c crypto/bio/bss_fd.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/bss_file.c crypto/bio/bss_file.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/bf_null.c crypto/bio/bf_null.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/bf_buff.c crypto/bio/bf_buff.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/b_dump.c crypto/bio/b_dump.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/bf_nbio.c crypto/bio/bf_nbio.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/bss_log.c crypto/bio/bss_log.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/bss_bio.c crypto/bio/bss_bio.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/bio/bss_dgram.c crypto/bio/bss_dgram.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/stack/stack.c crypto/stack/stack.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/lhash/lhash.c crypto/lhash/lhash.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/lhash/lh_stats.c crypto/lhash/lh_stats.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rand/md_rand.c crypto/rand/md_rand.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rand/randfile.c crypto/rand/randfile.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rand/rand_lib.c crypto/rand/rand_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rand/rand_eng.c crypto/rand/rand_eng.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rand/rand_err.c crypto/rand/rand_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rand/rand_egd.c crypto/rand/rand_egd.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rand/rand_win.c crypto/rand/rand_win.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rand/rand_unix.c crypto/rand/rand_unix.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rand/rand_os2.c crypto/rand/rand_os2.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/rand/rand_nw.c crypto/rand/rand_nw.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/err/err.c crypto/err/err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/err/err_def.c crypto/err/err_def.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/err/err_all.c crypto/err/err_all.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/err/err_prn.c crypto/err/err_prn.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/err/err_str.c crypto/err/err_str.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/err/err_bio.c crypto/err/err_bio.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/objects/o_names.c crypto/objects/o_names.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/objects/obj_dat.c crypto/objects/obj_dat.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/objects/obj_lib.c crypto/objects/obj_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/objects/obj_err.c crypto/objects/obj_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/encode.c crypto/evp/encode.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/digest.c crypto/evp/digest.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/dig_eng.c crypto/evp/dig_eng.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/evp_enc.c crypto/evp/evp_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/evp_key.c crypto/evp/evp_key.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/evp_acnf.c crypto/evp/evp_acnf.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/evp_cnf.c crypto/evp/evp_cnf.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/e_des.c crypto/evp/e_des.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/e_bf.c crypto/evp/e_bf.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/e_idea.c crypto/evp/e_idea.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/e_des3.c crypto/evp/e_des3.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/e_rc4.c crypto/evp/e_rc4.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/e_aes.c crypto/evp/e_aes.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/names.c crypto/evp/names.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/e_xcbc_d.c crypto/evp/e_xcbc_d.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/e_rc2.c crypto/evp/e_rc2.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/e_cast.c crypto/evp/e_cast.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/e_rc5.c crypto/evp/e_rc5.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/enc_min.c crypto/evp/enc_min.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/m_null.c crypto/evp/m_null.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/m_md2.c crypto/evp/m_md2.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/m_md4.c crypto/evp/m_md4.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/m_md5.c crypto/evp/m_md5.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/m_sha.c crypto/evp/m_sha.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/m_sha1.c crypto/evp/m_sha1.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/m_dss.c crypto/evp/m_dss.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/m_dss1.c crypto/evp/m_dss1.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/m_ripemd.c crypto/evp/m_ripemd.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/m_ecdsa.c crypto/evp/m_ecdsa.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/p_open.c crypto/evp/p_open.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/p_seal.c crypto/evp/p_seal.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/p_sign.c crypto/evp/p_sign.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/p_verify.c crypto/evp/p_verify.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/p_lib.c crypto/evp/p_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/p_enc.c crypto/evp/p_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/p_dec.c crypto/evp/p_dec.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/bio_md.c crypto/evp/bio_md.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/bio_b64.c crypto/evp/bio_b64.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/bio_enc.c crypto/evp/bio_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/evp_err.c crypto/evp/evp_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/e_null.c crypto/evp/e_null.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/c_all.c crypto/evp/c_all.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/c_allc.c crypto/evp/c_allc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/c_alld.c crypto/evp/c_alld.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/evp_lib.c crypto/evp/evp_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/bio_ok.c crypto/evp/bio_ok.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/evp_pkey.c crypto/evp/evp_pkey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/evp_pbe.c crypto/evp/evp_pbe.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/p5_crpt.c crypto/evp/p5_crpt.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/p5_crpt2.c crypto/evp/p5_crpt2.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/evp/e_old.c crypto/evp/e_old.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_object.c crypto/asn1/a_object.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_bitstr.c crypto/asn1/a_bitstr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_utctm.c crypto/asn1/a_utctm.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_gentm.c crypto/asn1/a_gentm.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_time.c crypto/asn1/a_time.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_int.c crypto/asn1/a_int.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_octet.c crypto/asn1/a_octet.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_print.c crypto/asn1/a_print.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_type.c crypto/asn1/a_type.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_set.c crypto/asn1/a_set.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_dup.c crypto/asn1/a_dup.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_d2i_fp.c crypto/asn1/a_d2i_fp.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_i2d_fp.c crypto/asn1/a_i2d_fp.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_enum.c crypto/asn1/a_enum.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_utf8.c crypto/asn1/a_utf8.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_sign.c crypto/asn1/a_sign.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_digest.c crypto/asn1/a_digest.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_verify.c crypto/asn1/a_verify.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_mbstr.c crypto/asn1/a_mbstr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_strex.c crypto/asn1/a_strex.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_algor.c crypto/asn1/x_algor.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_val.c crypto/asn1/x_val.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_pubkey.c crypto/asn1/x_pubkey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_sig.c crypto/asn1/x_sig.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_req.c crypto/asn1/x_req.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_attrib.c crypto/asn1/x_attrib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_bignum.c crypto/asn1/x_bignum.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_long.c crypto/asn1/x_long.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_name.c crypto/asn1/x_name.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_x509.c crypto/asn1/x_x509.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_x509a.c crypto/asn1/x_x509a.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_crl.c crypto/asn1/x_crl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_info.c crypto/asn1/x_info.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_spki.c crypto/asn1/x_spki.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/nsseq.c crypto/asn1/nsseq.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/d2i_pu.c crypto/asn1/d2i_pu.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/d2i_pr.c crypto/asn1/d2i_pr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/i2d_pu.c crypto/asn1/i2d_pu.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/i2d_pr.c crypto/asn1/i2d_pr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/t_req.c crypto/asn1/t_req.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/t_x509.c crypto/asn1/t_x509.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/t_x509a.c crypto/asn1/t_x509a.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/t_crl.c crypto/asn1/t_crl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/t_pkey.c crypto/asn1/t_pkey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/t_spki.c crypto/asn1/t_spki.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/t_bitst.c crypto/asn1/t_bitst.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/tasn_new.c crypto/asn1/tasn_new.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/tasn_fre.c crypto/asn1/tasn_fre.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/tasn_enc.c crypto/asn1/tasn_enc.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/tasn_dec.c crypto/asn1/tasn_dec.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/tasn_utl.c crypto/asn1/tasn_utl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/tasn_typ.c crypto/asn1/tasn_typ.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/f_int.c crypto/asn1/f_int.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/f_string.c crypto/asn1/f_string.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/n_pkey.c crypto/asn1/n_pkey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/f_enum.c crypto/asn1/f_enum.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_hdr.c crypto/asn1/a_hdr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_pkey.c crypto/asn1/x_pkey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_bool.c crypto/asn1/a_bool.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/x_exten.c crypto/asn1/x_exten.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/asn_mime.c crypto/asn1/asn_mime.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/asn1_gen.c crypto/asn1/asn1_gen.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/asn1_par.c crypto/asn1/asn1_par.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/asn1_lib.c crypto/asn1/asn1_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/asn1_err.c crypto/asn1/asn1_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_meth.c crypto/asn1/a_meth.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_bytes.c crypto/asn1/a_bytes.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/a_strnid.c crypto/asn1/a_strnid.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/evp_asn1.c crypto/asn1/evp_asn1.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/asn_pack.c crypto/asn1/asn_pack.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/p5_pbe.c crypto/asn1/p5_pbe.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/p5_pbev2.c crypto/asn1/p5_pbev2.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/p8_pkey.c crypto/asn1/p8_pkey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/asn1/asn_moid.c crypto/asn1/asn_moid.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pem/pem_sign.c crypto/pem/pem_sign.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pem/pem_seal.c crypto/pem/pem_seal.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pem/pem_info.c crypto/pem/pem_info.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pem/pem_lib.c crypto/pem/pem_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pem/pem_all.c crypto/pem/pem_all.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pem/pem_err.c crypto/pem/pem_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pem/pem_x509.c crypto/pem/pem_x509.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pem/pem_xaux.c crypto/pem/pem_xaux.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pem/pem_oth.c crypto/pem/pem_oth.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pem/pem_pk8.c crypto/pem/pem_pk8.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pem/pem_pkey.c crypto/pem/pem_pkey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_def.c crypto/x509/x509_def.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_d2.c crypto/x509/x509_d2.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_r2x.c crypto/x509/x509_r2x.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_cmp.c crypto/x509/x509_cmp.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_obj.c crypto/x509/x509_obj.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_req.c crypto/x509/x509_req.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509spki.c crypto/x509/x509spki.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_set.c crypto/x509/x509_set.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509cset.c crypto/x509/x509cset.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509rset.c crypto/x509/x509rset.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_err.c crypto/x509/x509_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509name.c crypto/x509/x509name.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_v3.c crypto/x509/x509_v3.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_ext.c crypto/x509/x509_ext.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_att.c crypto/x509/x509_att.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509type.c crypto/x509/x509type.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_lu.c crypto/x509/x509_lu.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x_all.c crypto/x509/x_all.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_txt.c crypto/x509/x509_txt.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_trs.c crypto/x509/x509_trs.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/by_file.c crypto/x509/by_file.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/by_dir.c crypto/x509/by_dir.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509/x509_vpm.c crypto/x509/x509_vpm.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_bcons.c crypto/x509v3/v3_bcons.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_bitst.c crypto/x509v3/v3_bitst.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_conf.c crypto/x509v3/v3_conf.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_extku.c crypto/x509v3/v3_extku.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_ia5.c crypto/x509v3/v3_ia5.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_lib.c crypto/x509v3/v3_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_prn.c crypto/x509v3/v3_prn.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_utl.c crypto/x509v3/v3_utl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3err.c crypto/x509v3/v3err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_genn.c crypto/x509v3/v3_genn.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_alt.c crypto/x509v3/v3_alt.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_skey.c crypto/x509v3/v3_skey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_akey.c crypto/x509v3/v3_akey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_pku.c crypto/x509v3/v3_pku.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_int.c crypto/x509v3/v3_int.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_enum.c crypto/x509v3/v3_enum.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_sxnet.c crypto/x509v3/v3_sxnet.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_cpols.c crypto/x509v3/v3_cpols.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_crld.c crypto/x509v3/v3_crld.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_purp.c crypto/x509v3/v3_purp.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_info.c crypto/x509v3/v3_info.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_ocsp.c crypto/x509v3/v3_ocsp.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_akeya.c crypto/x509v3/v3_akeya.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_pmaps.c crypto/x509v3/v3_pmaps.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_pcons.c crypto/x509v3/v3_pcons.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_ncons.c crypto/x509v3/v3_ncons.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_pcia.c crypto/x509v3/v3_pcia.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_pci.c crypto/x509v3/v3_pci.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/pcy_cache.c crypto/x509v3/pcy_cache.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/pcy_node.c crypto/x509v3/pcy_node.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/pcy_data.c crypto/x509v3/pcy_data.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/pcy_map.c crypto/x509v3/pcy_map.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/pcy_tree.c crypto/x509v3/pcy_tree.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/pcy_lib.c crypto/x509v3/pcy_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_asid.c crypto/x509v3/v3_asid.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/x509v3/v3_addr.c crypto/x509v3/v3_addr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/conf/conf_err.c crypto/conf/conf_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/conf/conf_lib.c crypto/conf/conf_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/conf/conf_api.c crypto/conf/conf_api.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/conf/conf_def.c crypto/conf/conf_def.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/conf/conf_mod.c crypto/conf/conf_mod.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/conf/conf_mall.c crypto/conf/conf_mall.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/conf/conf_sap.c crypto/conf/conf_sap.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/txt_db/txt_db.c crypto/txt_db/txt_db.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs7/pk7_asn1.c crypto/pkcs7/pk7_asn1.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs7/pk7_lib.c crypto/pkcs7/pk7_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs7/pkcs7err.c crypto/pkcs7/pkcs7err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs7/pk7_doit.c crypto/pkcs7/pk7_doit.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs7/pk7_smime.c crypto/pkcs7/pk7_smime.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs7/pk7_attr.c crypto/pkcs7/pk7_attr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs7/pk7_mime.c crypto/pkcs7/pk7_mime.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_add.c crypto/pkcs12/p12_add.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_asn.c crypto/pkcs12/p12_asn.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_attr.c crypto/pkcs12/p12_attr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_crpt.c crypto/pkcs12/p12_crpt.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_crt.c crypto/pkcs12/p12_crt.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_decr.c crypto/pkcs12/p12_decr.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_init.c crypto/pkcs12/p12_init.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_key.c crypto/pkcs12/p12_key.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_kiss.c crypto/pkcs12/p12_kiss.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_mutl.c crypto/pkcs12/p12_mutl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_utl.c crypto/pkcs12/p12_utl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_npas.c crypto/pkcs12/p12_npas.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/pk12err.c crypto/pkcs12/pk12err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_p8d.c crypto/pkcs12/p12_p8d.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pkcs12/p12_p8e.c crypto/pkcs12/p12_p8e.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/comp/comp_lib.c crypto/comp/comp_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/comp/comp_err.c crypto/comp/comp_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/comp/c_rle.c crypto/comp/c_rle.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/comp/c_zlib.c crypto/comp/c_zlib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_err.c crypto/engine/eng_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_lib.c crypto/engine/eng_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_list.c crypto/engine/eng_list.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_init.c crypto/engine/eng_init.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_ctrl.c crypto/engine/eng_ctrl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_table.c crypto/engine/eng_table.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_pkey.c crypto/engine/eng_pkey.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_fat.c crypto/engine/eng_fat.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_all.c crypto/engine/eng_all.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/tb_rsa.c crypto/engine/tb_rsa.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/tb_dsa.c crypto/engine/tb_dsa.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/tb_ecdsa.c crypto/engine/tb_ecdsa.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/tb_dh.c crypto/engine/tb_dh.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/tb_ecdh.c crypto/engine/tb_ecdh.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/tb_rand.c crypto/engine/tb_rand.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/tb_store.c crypto/engine/tb_store.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/tb_cipher.c crypto/engine/tb_cipher.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/tb_digest.c crypto/engine/tb_digest.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_openssl.c crypto/engine/eng_openssl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_cnf.c crypto/engine/eng_cnf.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_dyn.c crypto/engine/eng_dyn.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_cryptodev.c crypto/engine/eng_cryptodev.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/engine/eng_padlock.c crypto/engine/eng_padlock.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ocsp/ocsp_asn.c crypto/ocsp/ocsp_asn.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ocsp/ocsp_ext.c crypto/ocsp/ocsp_ext.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ocsp/ocsp_ht.c crypto/ocsp/ocsp_ht.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ocsp/ocsp_lib.c crypto/ocsp/ocsp_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ocsp/ocsp_cl.c crypto/ocsp/ocsp_cl.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ocsp/ocsp_srv.c crypto/ocsp/ocsp_srv.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ocsp/ocsp_prn.c crypto/ocsp/ocsp_prn.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ocsp/ocsp_vfy.c crypto/ocsp/ocsp_vfy.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ocsp/ocsp_err.c crypto/ocsp/ocsp_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ui/ui_err.c crypto/ui/ui_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ui/ui_lib.c crypto/ui/ui_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ui/ui_util.c crypto/ui/ui_util.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/ui/ui_compat.c crypto/ui/ui_compat.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/krb5/krb5_asn.c crypto/krb5/krb5_asn.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/store/str_err.c crypto/store/str_err.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/store/str_lib.c crypto/store/str_lib.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/store/str_meth.c crypto/store/str_meth.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/store/str_mem.c crypto/store/str_mem.c -install -D /home/mjg59/Source/efi/edk2/CryptoPkg/Library/OpensslLib/openssl-0.9.8w/crypto/pqueue/pqueue.c crypto/pqueue/pqueue.c +DIR=$1 + +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/e_os.h e_os.h +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/cryptlib.c crypto/cryptlib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dyn_lck.c crypto/dyn_lck.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/mem.c crypto/mem.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/mem_clr.c crypto/mem_clr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/mem_dbg.c crypto/mem_dbg.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/cversion.c crypto/cversion.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ex_data.c crypto/ex_data.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/cpt_err.c crypto/cpt_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ebcdic.c crypto/ebcdic.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/uid.c crypto/uid.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/o_time.c crypto/o_time.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/o_str.c crypto/o_str.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/o_dir.c crypto/o_dir.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/o_init.c crypto/o_init.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/fips_err.c crypto/fips_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/md2/md2_dgst.c crypto/md2/md2_dgst.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/md2/md2_one.c crypto/md2/md2_one.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/md4/md4_dgst.c crypto/md4/md4_dgst.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/md4/md4_one.c crypto/md4/md4_one.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/md5/md5_dgst.c crypto/md5/md5_dgst.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/md5/md5_one.c crypto/md5/md5_one.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/sha/sha_dgst.c crypto/sha/sha_dgst.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/sha/sha1dgst.c crypto/sha/sha1dgst.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/sha/sha_one.c crypto/sha/sha_one.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/sha/sha1_one.c crypto/sha/sha1_one.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/sha/sha256.c crypto/sha/sha256.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/sha/sha512.c crypto/sha/sha512.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/hmac/hmac.c crypto/hmac/hmac.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ripemd/rmd_dgst.c crypto/ripemd/rmd_dgst.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ripemd/rmd_one.c crypto/ripemd/rmd_one.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/des_lib.c crypto/des/des_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/set_key.c crypto/des/set_key.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/ecb_enc.c crypto/des/ecb_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/cbc_enc.c crypto/des/cbc_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/ecb3_enc.c crypto/des/ecb3_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/cfb64enc.c crypto/des/cfb64enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/cfb64ede.c crypto/des/cfb64ede.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/cfb_enc.c crypto/des/cfb_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/ofb64ede.c crypto/des/ofb64ede.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/enc_read.c crypto/des/enc_read.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/enc_writ.c crypto/des/enc_writ.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/ofb64enc.c crypto/des/ofb64enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/ofb_enc.c crypto/des/ofb_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/str2key.c crypto/des/str2key.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/pcbc_enc.c crypto/des/pcbc_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/qud_cksm.c crypto/des/qud_cksm.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/rand_key.c crypto/des/rand_key.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/des_enc.c crypto/des/des_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/fcrypt_b.c crypto/des/fcrypt_b.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/fcrypt.c crypto/des/fcrypt.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/xcbc_enc.c crypto/des/xcbc_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/rpc_enc.c crypto/des/rpc_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/cbc_cksm.c crypto/des/cbc_cksm.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/ede_cbcm_enc.c crypto/des/ede_cbcm_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/des_old.c crypto/des/des_old.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/des_old2.c crypto/des/des_old2.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/read2pwd.c crypto/des/read2pwd.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rc2/rc2_ecb.c crypto/rc2/rc2_ecb.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rc2/rc2_skey.c crypto/rc2/rc2_skey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rc2/rc2_cbc.c crypto/rc2/rc2_cbc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rc2/rc2cfb64.c crypto/rc2/rc2cfb64.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rc2/rc2ofb64.c crypto/rc2/rc2ofb64.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rc4/rc4_enc.c crypto/rc4/rc4_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rc4/rc4_skey.c crypto/rc4/rc4_skey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rc4/rc4_fblk.c crypto/rc4/rc4_fblk.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/idea/i_cbc.c crypto/idea/i_cbc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/idea/i_cfb64.c crypto/idea/i_cfb64.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/idea/i_ofb64.c crypto/idea/i_ofb64.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/idea/i_ecb.c crypto/idea/i_ecb.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/idea/i_skey.c crypto/idea/i_skey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bf/bf_skey.c crypto/bf/bf_skey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bf/bf_ecb.c crypto/bf/bf_ecb.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bf/bf_enc.c crypto/bf/bf_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bf/bf_cfb64.c crypto/bf/bf_cfb64.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bf/bf_ofb64.c crypto/bf/bf_ofb64.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/cast/c_skey.c crypto/cast/c_skey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/cast/c_ecb.c crypto/cast/c_ecb.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/cast/c_enc.c crypto/cast/c_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/cast/c_cfb64.c crypto/cast/c_cfb64.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/cast/c_ofb64.c crypto/cast/c_ofb64.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/aes/aes_misc.c crypto/aes/aes_misc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/aes/aes_ecb.c crypto/aes/aes_ecb.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/aes/aes_cfb.c crypto/aes/aes_cfb.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/aes/aes_ofb.c crypto/aes/aes_ofb.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/aes/aes_ctr.c crypto/aes/aes_ctr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/aes/aes_ige.c crypto/aes/aes_ige.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/aes/aes_wrap.c crypto/aes/aes_wrap.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/aes/aes_core.c crypto/aes/aes_core.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/aes/aes_cbc.c crypto/aes/aes_cbc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_add.c crypto/bn/bn_add.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_div.c crypto/bn/bn_div.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_exp.c crypto/bn/bn_exp.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_lib.c crypto/bn/bn_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_ctx.c crypto/bn/bn_ctx.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_mul.c crypto/bn/bn_mul.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_mod.c crypto/bn/bn_mod.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_print.c crypto/bn/bn_print.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_rand.c crypto/bn/bn_rand.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_shift.c crypto/bn/bn_shift.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_word.c crypto/bn/bn_word.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_blind.c crypto/bn/bn_blind.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_kron.c crypto/bn/bn_kron.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_sqrt.c crypto/bn/bn_sqrt.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_gcd.c crypto/bn/bn_gcd.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_prime.c crypto/bn/bn_prime.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_err.c crypto/bn/bn_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_sqr.c crypto/bn/bn_sqr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_asm.c crypto/bn/bn_asm.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_recp.c crypto/bn/bn_recp.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_mont.c crypto/bn/bn_mont.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_mpi.c crypto/bn/bn_mpi.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_exp2.c crypto/bn/bn_exp2.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_gf2m.c crypto/bn/bn_gf2m.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_nist.c crypto/bn/bn_nist.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_depr.c crypto/bn/bn_depr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_x931p.c crypto/bn/bn_x931p.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_const.c crypto/bn/bn_const.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_opt.c crypto/bn/bn_opt.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_eay.c crypto/rsa/rsa_eay.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_gen.c crypto/rsa/rsa_gen.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_lib.c crypto/rsa/rsa_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_sign.c crypto/rsa/rsa_sign.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_saos.c crypto/rsa/rsa_saos.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_err.c crypto/rsa/rsa_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_pk1.c crypto/rsa/rsa_pk1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_ssl.c crypto/rsa/rsa_ssl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_none.c crypto/rsa/rsa_none.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_oaep.c crypto/rsa/rsa_oaep.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_chk.c crypto/rsa/rsa_chk.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_null.c crypto/rsa/rsa_null.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_pss.c crypto/rsa/rsa_pss.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_x931.c crypto/rsa/rsa_x931.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_x931g.c crypto/rsa/rsa_x931g.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_asn1.c crypto/rsa/rsa_asn1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_depr.c crypto/rsa/rsa_depr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_eng.c crypto/rsa/rsa_eng.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dsa/dsa_gen.c crypto/dsa/dsa_gen.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dsa/dsa_key.c crypto/dsa/dsa_key.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dsa/dsa_lib.c crypto/dsa/dsa_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dsa/dsa_asn1.c crypto/dsa/dsa_asn1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dsa/dsa_vrf.c crypto/dsa/dsa_vrf.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dsa/dsa_sign.c crypto/dsa/dsa_sign.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dsa/dsa_err.c crypto/dsa/dsa_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dsa/dsa_ossl.c crypto/dsa/dsa_ossl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dsa/dsa_depr.c crypto/dsa/dsa_depr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dsa/dsa_utl.c crypto/dsa/dsa_utl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dso/dso_dl.c crypto/dso/dso_dl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dso/dso_dlfcn.c crypto/dso/dso_dlfcn.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dso/dso_err.c crypto/dso/dso_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dso/dso_lib.c crypto/dso/dso_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dso/dso_null.c crypto/dso/dso_null.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dso/dso_openssl.c crypto/dso/dso_openssl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dso/dso_win32.c crypto/dso/dso_win32.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dso/dso_vms.c crypto/dso/dso_vms.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dh/dh_asn1.c crypto/dh/dh_asn1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dh/dh_gen.c crypto/dh/dh_gen.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dh/dh_key.c crypto/dh/dh_key.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dh/dh_lib.c crypto/dh/dh_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dh/dh_check.c crypto/dh/dh_check.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dh/dh_err.c crypto/dh/dh_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dh/dh_depr.c crypto/dh/dh_depr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ec_lib.c crypto/ec/ec_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ecp_smpl.c crypto/ec/ecp_smpl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ecp_mont.c crypto/ec/ecp_mont.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ecp_nist.c crypto/ec/ecp_nist.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ec_cvt.c crypto/ec/ec_cvt.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ec_mult.c crypto/ec/ec_mult.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ec_err.c crypto/ec/ec_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ec_curve.c crypto/ec/ec_curve.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ec_check.c crypto/ec/ec_check.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ec_print.c crypto/ec/ec_print.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ec_asn1.c crypto/ec/ec_asn1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ec_key.c crypto/ec/ec_key.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ec2_smpl.c crypto/ec/ec2_smpl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ec2_mult.c crypto/ec/ec2_mult.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ecdh/ech_lib.c crypto/ecdh/ech_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ecdh/ech_ossl.c crypto/ecdh/ech_ossl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ecdh/ech_key.c crypto/ecdh/ech_key.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ecdh/ech_err.c crypto/ecdh/ech_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ecdsa/ecs_lib.c crypto/ecdsa/ecs_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ecdsa/ecs_asn1.c crypto/ecdsa/ecs_asn1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ecdsa/ecs_ossl.c crypto/ecdsa/ecs_ossl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ecdsa/ecs_sign.c crypto/ecdsa/ecs_sign.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ecdsa/ecs_vrf.c crypto/ecdsa/ecs_vrf.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ecdsa/ecs_err.c crypto/ecdsa/ecs_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/buffer/buffer.c crypto/buffer/buffer.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/buffer/buf_str.c crypto/buffer/buf_str.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/buffer/buf_err.c crypto/buffer/buf_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/bio_lib.c crypto/bio/bio_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/bio_cb.c crypto/bio/bio_cb.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/bio_err.c crypto/bio/bio_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/bss_mem.c crypto/bio/bss_mem.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/bss_null.c crypto/bio/bss_null.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/bss_fd.c crypto/bio/bss_fd.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/bss_file.c crypto/bio/bss_file.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/bf_null.c crypto/bio/bf_null.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/bf_buff.c crypto/bio/bf_buff.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/b_dump.c crypto/bio/b_dump.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/bf_nbio.c crypto/bio/bf_nbio.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/bss_log.c crypto/bio/bss_log.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/bss_bio.c crypto/bio/bss_bio.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/bss_dgram.c crypto/bio/bss_dgram.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/stack/stack.c crypto/stack/stack.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/lhash/lhash.c crypto/lhash/lhash.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/lhash/lh_stats.c crypto/lhash/lh_stats.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rand/md_rand.c crypto/rand/md_rand.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rand/randfile.c crypto/rand/randfile.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rand/rand_lib.c crypto/rand/rand_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rand/rand_eng.c crypto/rand/rand_eng.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rand/rand_err.c crypto/rand/rand_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rand/rand_egd.c crypto/rand/rand_egd.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rand/rand_win.c crypto/rand/rand_win.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rand/rand_unix.c crypto/rand/rand_unix.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rand/rand_os2.c crypto/rand/rand_os2.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rand/rand_nw.c crypto/rand/rand_nw.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/err/err.c crypto/err/err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/err/err_def.c crypto/err/err_def.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/err/err_all.c crypto/err/err_all.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/err/err_prn.c crypto/err/err_prn.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/err/err_str.c crypto/err/err_str.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/err/err_bio.c crypto/err/err_bio.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/objects/o_names.c crypto/objects/o_names.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/objects/obj_dat.c crypto/objects/obj_dat.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/objects/obj_lib.c crypto/objects/obj_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/objects/obj_err.c crypto/objects/obj_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/encode.c crypto/evp/encode.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/digest.c crypto/evp/digest.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/dig_eng.c crypto/evp/dig_eng.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/evp_enc.c crypto/evp/evp_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/evp_key.c crypto/evp/evp_key.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/evp_acnf.c crypto/evp/evp_acnf.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/evp_cnf.c crypto/evp/evp_cnf.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/e_des.c crypto/evp/e_des.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/e_bf.c crypto/evp/e_bf.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/e_idea.c crypto/evp/e_idea.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/e_des3.c crypto/evp/e_des3.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/e_rc4.c crypto/evp/e_rc4.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/e_aes.c crypto/evp/e_aes.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/names.c crypto/evp/names.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/e_xcbc_d.c crypto/evp/e_xcbc_d.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/e_rc2.c crypto/evp/e_rc2.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/e_cast.c crypto/evp/e_cast.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/e_rc5.c crypto/evp/e_rc5.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/enc_min.c crypto/evp/enc_min.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/m_null.c crypto/evp/m_null.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/m_md2.c crypto/evp/m_md2.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/m_md4.c crypto/evp/m_md4.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/m_md5.c crypto/evp/m_md5.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/m_sha.c crypto/evp/m_sha.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/m_sha1.c crypto/evp/m_sha1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/m_dss.c crypto/evp/m_dss.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/m_dss1.c crypto/evp/m_dss1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/m_ripemd.c crypto/evp/m_ripemd.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/m_ecdsa.c crypto/evp/m_ecdsa.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/p_open.c crypto/evp/p_open.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/p_seal.c crypto/evp/p_seal.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/p_sign.c crypto/evp/p_sign.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/p_verify.c crypto/evp/p_verify.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/p_lib.c crypto/evp/p_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/p_enc.c crypto/evp/p_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/p_dec.c crypto/evp/p_dec.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/bio_md.c crypto/evp/bio_md.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/bio_b64.c crypto/evp/bio_b64.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/bio_enc.c crypto/evp/bio_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/evp_err.c crypto/evp/evp_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/e_null.c crypto/evp/e_null.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/c_all.c crypto/evp/c_all.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/c_allc.c crypto/evp/c_allc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/c_alld.c crypto/evp/c_alld.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/evp_lib.c crypto/evp/evp_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/bio_ok.c crypto/evp/bio_ok.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/evp_pkey.c crypto/evp/evp_pkey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/evp_pbe.c crypto/evp/evp_pbe.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/p5_crpt.c crypto/evp/p5_crpt.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/p5_crpt2.c crypto/evp/p5_crpt2.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/e_old.c crypto/evp/e_old.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_object.c crypto/asn1/a_object.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_bitstr.c crypto/asn1/a_bitstr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_utctm.c crypto/asn1/a_utctm.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_gentm.c crypto/asn1/a_gentm.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_time.c crypto/asn1/a_time.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_int.c crypto/asn1/a_int.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_octet.c crypto/asn1/a_octet.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_print.c crypto/asn1/a_print.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_type.c crypto/asn1/a_type.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_set.c crypto/asn1/a_set.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_dup.c crypto/asn1/a_dup.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_d2i_fp.c crypto/asn1/a_d2i_fp.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_i2d_fp.c crypto/asn1/a_i2d_fp.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_enum.c crypto/asn1/a_enum.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_utf8.c crypto/asn1/a_utf8.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_sign.c crypto/asn1/a_sign.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_digest.c crypto/asn1/a_digest.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_verify.c crypto/asn1/a_verify.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_mbstr.c crypto/asn1/a_mbstr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_strex.c crypto/asn1/a_strex.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_algor.c crypto/asn1/x_algor.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_val.c crypto/asn1/x_val.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_pubkey.c crypto/asn1/x_pubkey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_sig.c crypto/asn1/x_sig.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_req.c crypto/asn1/x_req.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_attrib.c crypto/asn1/x_attrib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_bignum.c crypto/asn1/x_bignum.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_long.c crypto/asn1/x_long.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_name.c crypto/asn1/x_name.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_x509.c crypto/asn1/x_x509.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_x509a.c crypto/asn1/x_x509a.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_crl.c crypto/asn1/x_crl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_info.c crypto/asn1/x_info.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_spki.c crypto/asn1/x_spki.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/nsseq.c crypto/asn1/nsseq.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/d2i_pu.c crypto/asn1/d2i_pu.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/d2i_pr.c crypto/asn1/d2i_pr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/i2d_pu.c crypto/asn1/i2d_pu.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/i2d_pr.c crypto/asn1/i2d_pr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/t_req.c crypto/asn1/t_req.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/t_x509.c crypto/asn1/t_x509.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/t_x509a.c crypto/asn1/t_x509a.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/t_crl.c crypto/asn1/t_crl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/t_pkey.c crypto/asn1/t_pkey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/t_spki.c crypto/asn1/t_spki.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/t_bitst.c crypto/asn1/t_bitst.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/tasn_new.c crypto/asn1/tasn_new.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/tasn_fre.c crypto/asn1/tasn_fre.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/tasn_enc.c crypto/asn1/tasn_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/tasn_dec.c crypto/asn1/tasn_dec.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/tasn_utl.c crypto/asn1/tasn_utl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/tasn_typ.c crypto/asn1/tasn_typ.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/f_int.c crypto/asn1/f_int.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/f_string.c crypto/asn1/f_string.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/n_pkey.c crypto/asn1/n_pkey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/f_enum.c crypto/asn1/f_enum.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_hdr.c crypto/asn1/a_hdr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_pkey.c crypto/asn1/x_pkey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_bool.c crypto/asn1/a_bool.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_exten.c crypto/asn1/x_exten.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/asn_mime.c crypto/asn1/asn_mime.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/asn1_gen.c crypto/asn1/asn1_gen.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/asn1_par.c crypto/asn1/asn1_par.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/asn1_lib.c crypto/asn1/asn1_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/asn1_err.c crypto/asn1/asn1_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_meth.c crypto/asn1/a_meth.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_bytes.c crypto/asn1/a_bytes.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_strnid.c crypto/asn1/a_strnid.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/evp_asn1.c crypto/asn1/evp_asn1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/asn_pack.c crypto/asn1/asn_pack.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/p5_pbe.c crypto/asn1/p5_pbe.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/p5_pbev2.c crypto/asn1/p5_pbev2.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/p8_pkey.c crypto/asn1/p8_pkey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/asn_moid.c crypto/asn1/asn_moid.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pem/pem_sign.c crypto/pem/pem_sign.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pem/pem_seal.c crypto/pem/pem_seal.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pem/pem_info.c crypto/pem/pem_info.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pem/pem_lib.c crypto/pem/pem_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pem/pem_all.c crypto/pem/pem_all.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pem/pem_err.c crypto/pem/pem_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pem/pem_x509.c crypto/pem/pem_x509.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pem/pem_xaux.c crypto/pem/pem_xaux.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pem/pem_oth.c crypto/pem/pem_oth.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pem/pem_pk8.c crypto/pem/pem_pk8.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pem/pem_pkey.c crypto/pem/pem_pkey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_def.c crypto/x509/x509_def.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_d2.c crypto/x509/x509_d2.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_r2x.c crypto/x509/x509_r2x.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_cmp.c crypto/x509/x509_cmp.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_obj.c crypto/x509/x509_obj.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_req.c crypto/x509/x509_req.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509spki.c crypto/x509/x509spki.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_set.c crypto/x509/x509_set.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509cset.c crypto/x509/x509cset.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509rset.c crypto/x509/x509rset.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_err.c crypto/x509/x509_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509name.c crypto/x509/x509name.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_v3.c crypto/x509/x509_v3.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_ext.c crypto/x509/x509_ext.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_att.c crypto/x509/x509_att.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509type.c crypto/x509/x509type.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_lu.c crypto/x509/x509_lu.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x_all.c crypto/x509/x_all.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_txt.c crypto/x509/x509_txt.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_trs.c crypto/x509/x509_trs.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/by_file.c crypto/x509/by_file.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/by_dir.c crypto/x509/by_dir.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_vpm.c crypto/x509/x509_vpm.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_bcons.c crypto/x509v3/v3_bcons.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_bitst.c crypto/x509v3/v3_bitst.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_conf.c crypto/x509v3/v3_conf.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_extku.c crypto/x509v3/v3_extku.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_ia5.c crypto/x509v3/v3_ia5.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_lib.c crypto/x509v3/v3_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_prn.c crypto/x509v3/v3_prn.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_utl.c crypto/x509v3/v3_utl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3err.c crypto/x509v3/v3err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_genn.c crypto/x509v3/v3_genn.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_alt.c crypto/x509v3/v3_alt.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_skey.c crypto/x509v3/v3_skey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_akey.c crypto/x509v3/v3_akey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_pku.c crypto/x509v3/v3_pku.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_int.c crypto/x509v3/v3_int.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_enum.c crypto/x509v3/v3_enum.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_sxnet.c crypto/x509v3/v3_sxnet.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_cpols.c crypto/x509v3/v3_cpols.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_crld.c crypto/x509v3/v3_crld.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_purp.c crypto/x509v3/v3_purp.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_info.c crypto/x509v3/v3_info.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_ocsp.c crypto/x509v3/v3_ocsp.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_akeya.c crypto/x509v3/v3_akeya.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_pmaps.c crypto/x509v3/v3_pmaps.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_pcons.c crypto/x509v3/v3_pcons.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_ncons.c crypto/x509v3/v3_ncons.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_pcia.c crypto/x509v3/v3_pcia.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_pci.c crypto/x509v3/v3_pci.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/pcy_cache.c crypto/x509v3/pcy_cache.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/pcy_node.c crypto/x509v3/pcy_node.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/pcy_data.c crypto/x509v3/pcy_data.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/pcy_map.c crypto/x509v3/pcy_map.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/pcy_tree.c crypto/x509v3/pcy_tree.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/pcy_lib.c crypto/x509v3/pcy_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_asid.c crypto/x509v3/v3_asid.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_addr.c crypto/x509v3/v3_addr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/conf/conf_err.c crypto/conf/conf_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/conf/conf_lib.c crypto/conf/conf_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/conf/conf_api.c crypto/conf/conf_api.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/conf/conf_def.c crypto/conf/conf_def.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/conf/conf_mod.c crypto/conf/conf_mod.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/conf/conf_mall.c crypto/conf/conf_mall.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/conf/conf_sap.c crypto/conf/conf_sap.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/txt_db/txt_db.c crypto/txt_db/txt_db.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs7/pk7_asn1.c crypto/pkcs7/pk7_asn1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs7/pk7_lib.c crypto/pkcs7/pk7_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs7/pkcs7err.c crypto/pkcs7/pkcs7err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs7/pk7_doit.c crypto/pkcs7/pk7_doit.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs7/pk7_smime.c crypto/pkcs7/pk7_smime.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs7/pk7_attr.c crypto/pkcs7/pk7_attr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs7/pk7_mime.c crypto/pkcs7/pk7_mime.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_add.c crypto/pkcs12/p12_add.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_asn.c crypto/pkcs12/p12_asn.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_attr.c crypto/pkcs12/p12_attr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_crpt.c crypto/pkcs12/p12_crpt.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_crt.c crypto/pkcs12/p12_crt.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_decr.c crypto/pkcs12/p12_decr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_init.c crypto/pkcs12/p12_init.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_key.c crypto/pkcs12/p12_key.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_kiss.c crypto/pkcs12/p12_kiss.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_mutl.c crypto/pkcs12/p12_mutl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_utl.c crypto/pkcs12/p12_utl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_npas.c crypto/pkcs12/p12_npas.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/pk12err.c crypto/pkcs12/pk12err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_p8d.c crypto/pkcs12/p12_p8d.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_p8e.c crypto/pkcs12/p12_p8e.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/comp/comp_lib.c crypto/comp/comp_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/comp/comp_err.c crypto/comp/comp_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/comp/c_rle.c crypto/comp/c_rle.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/comp/c_zlib.c crypto/comp/c_zlib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_err.c crypto/engine/eng_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_lib.c crypto/engine/eng_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_list.c crypto/engine/eng_list.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_init.c crypto/engine/eng_init.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_ctrl.c crypto/engine/eng_ctrl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_table.c crypto/engine/eng_table.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_pkey.c crypto/engine/eng_pkey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_fat.c crypto/engine/eng_fat.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_all.c crypto/engine/eng_all.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/tb_rsa.c crypto/engine/tb_rsa.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/tb_dsa.c crypto/engine/tb_dsa.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/tb_ecdsa.c crypto/engine/tb_ecdsa.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/tb_dh.c crypto/engine/tb_dh.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/tb_ecdh.c crypto/engine/tb_ecdh.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/tb_rand.c crypto/engine/tb_rand.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/tb_store.c crypto/engine/tb_store.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/tb_cipher.c crypto/engine/tb_cipher.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/tb_digest.c crypto/engine/tb_digest.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_openssl.c crypto/engine/eng_openssl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_cnf.c crypto/engine/eng_cnf.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_dyn.c crypto/engine/eng_dyn.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_cryptodev.c crypto/engine/eng_cryptodev.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_padlock.c crypto/engine/eng_padlock.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ocsp/ocsp_asn.c crypto/ocsp/ocsp_asn.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ocsp/ocsp_ext.c crypto/ocsp/ocsp_ext.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ocsp/ocsp_ht.c crypto/ocsp/ocsp_ht.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ocsp/ocsp_lib.c crypto/ocsp/ocsp_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ocsp/ocsp_cl.c crypto/ocsp/ocsp_cl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ocsp/ocsp_srv.c crypto/ocsp/ocsp_srv.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ocsp/ocsp_prn.c crypto/ocsp/ocsp_prn.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ocsp/ocsp_vfy.c crypto/ocsp/ocsp_vfy.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ocsp/ocsp_err.c crypto/ocsp/ocsp_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ui/ui_err.c crypto/ui/ui_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ui/ui_lib.c crypto/ui/ui_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ui/ui_util.c crypto/ui/ui_util.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ui/ui_compat.c crypto/ui/ui_compat.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/krb5/krb5_asn.c crypto/krb5/krb5_asn.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/store/str_err.c crypto/store/str_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/store/str_lib.c crypto/store/str_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/store/str_meth.c crypto/store/str_meth.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/store/str_mem.c crypto/store/str_mem.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pqueue/pqueue.c crypto/pqueue/pqueue.c diff --git a/Cryptlib/Pk/CryptPkcs7Sign.c b/Cryptlib/Pk/CryptPkcs7Sign.c new file mode 100644 index 0000000..63fe78f --- /dev/null +++ b/Cryptlib/Pk/CryptPkcs7Sign.c @@ -0,0 +1,207 @@ +/** @file + PKCS#7 SignedData Sign Wrapper Implementation over OpenSSL. + +Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include "InternalCryptLib.h" + +#include +#include +#include + + +/** + Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message + Syntax Standard, version 1.5". This interface is only intended to be used for + application to perform PKCS#7 functionality validation. + + @param[in] PrivateKey Pointer to the PEM-formatted private key data for + data signing. + @param[in] PrivateKeySize Size of the PEM private key data in bytes. + @param[in] KeyPassword NULL-terminated passphrase used for encrypted PEM + key data. + @param[in] InData Pointer to the content to be signed. + @param[in] InDataSize Size of InData in bytes. + @param[in] SignCert Pointer to signer's DER-encoded certificate to sign with. + @param[in] OtherCerts Pointer to an optional additional set of certificates to + include in the PKCS#7 signedData (e.g. any intermediate + CAs in the chain). + @param[out] SignedData Pointer to output PKCS#7 signedData. + @param[out] SignedDataSize Size of SignedData in bytes. + + @retval TRUE PKCS#7 data signing succeeded. + @retval FALSE PKCS#7 data signing failed. + +**/ +BOOLEAN +EFIAPI +Pkcs7Sign ( + IN CONST UINT8 *PrivateKey, + IN UINTN PrivateKeySize, + IN CONST UINT8 *KeyPassword, + IN UINT8 *InData, + IN UINTN InDataSize, + IN UINT8 *SignCert, + IN UINT8 *OtherCerts OPTIONAL, + OUT UINT8 **SignedData, + OUT UINTN *SignedDataSize + ) +{ + BOOLEAN Status; + EVP_PKEY *Key; + BIO *DataBio; + PKCS7 *Pkcs7; + UINT8 *RsaContext; + UINT8 *P7Data; + UINTN P7DataSize; + UINT8 *Tmp; + + // + // Check input parameters. + // + if (PrivateKey == NULL || KeyPassword == NULL || InData == NULL || + SignCert == NULL || SignedData == NULL || SignedDataSize == NULL || InDataSize > INT_MAX) { + return FALSE; + } + + RsaContext = NULL; + Key = NULL; + Pkcs7 = NULL; + DataBio = NULL; + Status = FALSE; + + // + // Retrieve RSA private key from PEM data. + // + Status = RsaGetPrivateKeyFromPem ( + PrivateKey, + PrivateKeySize, + (CONST CHAR8 *) KeyPassword, + (VOID **) &RsaContext + ); + if (!Status) { + return Status; + } + + Status = FALSE; + + // + // Register & Initialize necessary digest algorithms and PRNG for PKCS#7 Handling + // + if (EVP_add_digest (EVP_md5 ()) == 0) { + goto _Exit; + } + if (EVP_add_digest (EVP_sha1 ()) == 0) { + goto _Exit; + } + if (EVP_add_digest (EVP_sha256 ()) == 0) { + goto _Exit; + } + + RandomSeed (NULL, 0); + + // + // Construct OpenSSL EVP_PKEY for private key. + // + Key = EVP_PKEY_new (); + if (Key == NULL) { + goto _Exit; + } + Key->save_type = EVP_PKEY_RSA; + Key->type = EVP_PKEY_type (EVP_PKEY_RSA); + Key->pkey.rsa = (RSA *) RsaContext; + + // + // Convert the data to be signed to BIO format. + // + DataBio = BIO_new (BIO_s_mem ()); + if (DataBio == NULL) { + goto _Exit; + } + + if (BIO_write (DataBio, InData, (int) InDataSize) <= 0) { + goto _Exit; + } + + // + // Create the PKCS#7 signedData structure. + // + Pkcs7 = PKCS7_sign ( + (X509 *) SignCert, + Key, + (STACK_OF(X509) *) OtherCerts, + DataBio, + PKCS7_BINARY | PKCS7_NOATTR | PKCS7_DETACHED + ); + if (Pkcs7 == NULL) { + goto _Exit; + } + + // + // Convert PKCS#7 signedData structure into DER-encoded buffer. + // + P7DataSize = i2d_PKCS7 (Pkcs7, NULL); + if (P7DataSize <= 19) { + goto _Exit; + } + + P7Data = malloc (P7DataSize); + if (P7Data == NULL) { + goto _Exit; + } + + Tmp = P7Data; + P7DataSize = i2d_PKCS7 (Pkcs7, (unsigned char **) &Tmp); + ASSERT (P7DataSize > 19); + + // + // Strip ContentInfo to content only for signeddata. The data be trimmed off + // is totally 19 bytes. + // + *SignedDataSize = P7DataSize - 19; + *SignedData = malloc (*SignedDataSize); + if (*SignedData == NULL) { + OPENSSL_free (P7Data); + goto _Exit; + } + + CopyMem (*SignedData, P7Data + 19, *SignedDataSize); + + OPENSSL_free (P7Data); + + Status = TRUE; + +_Exit: + // + // Release Resources + // + if (RsaContext != NULL) { + RsaFree (RsaContext); + if (Key != NULL) { + Key->pkey.rsa = NULL; + } + } + + if (Key != NULL) { + EVP_PKEY_free (Key); + } + + if (DataBio != NULL) { + BIO_free (DataBio); + } + + if (Pkcs7 != NULL) { + PKCS7_free (Pkcs7); + } + + return Status; +} diff --git a/Cryptlib/Pk/CryptPkcs7SignNull.c b/Cryptlib/Pk/CryptPkcs7SignNull.c new file mode 100644 index 0000000..539bb6b --- /dev/null +++ b/Cryptlib/Pk/CryptPkcs7SignNull.c @@ -0,0 +1,59 @@ +/** @file + PKCS#7 SignedData Sign Wrapper Implementation which does not provide real + capabilities. + +Copyright (c) 2012, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include "InternalCryptLib.h" + +/** + Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message + Syntax Standard, version 1.5". This interface is only intended to be used for + application to perform PKCS#7 functionality validation. + + Return FALSE to indicate this interface is not supported. + + @param[in] PrivateKey Pointer to the PEM-formatted private key data for + data signing. + @param[in] PrivateKeySize Size of the PEM private key data in bytes. + @param[in] KeyPassword NULL-terminated passphrase used for encrypted PEM + key data. + @param[in] InData Pointer to the content to be signed. + @param[in] InDataSize Size of InData in bytes. + @param[in] SignCert Pointer to signer's DER-encoded certificate to sign with. + @param[in] OtherCerts Pointer to an optional additional set of certificates to + include in the PKCS#7 signedData (e.g. any intermediate + CAs in the chain). + @param[out] SignedData Pointer to output PKCS#7 signedData. + @param[out] SignedDataSize Size of SignedData in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Pkcs7Sign ( + IN CONST UINT8 *PrivateKey, + IN UINTN PrivateKeySize, + IN CONST UINT8 *KeyPassword, + IN UINT8 *InData, + IN UINTN InDataSize, + IN UINT8 *SignCert, + IN UINT8 *OtherCerts OPTIONAL, + OUT UINT8 **SignedData, + OUT UINTN *SignedDataSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + diff --git a/Cryptlib/Pk/CryptPkcs7.c b/Cryptlib/Pk/CryptPkcs7Verify.c similarity index 74% rename from Cryptlib/Pk/CryptPkcs7.c rename to Cryptlib/Pk/CryptPkcs7Verify.c index 218e7ac..05c3f87 100644 --- a/Cryptlib/Pk/CryptPkcs7.c +++ b/Cryptlib/Pk/CryptPkcs7Verify.c @@ -10,7 +10,7 @@ WrapPkcs7Data(), Pkcs7GetSigners(), Pkcs7Verify() will get UEFI Authenticated Variable and will do basic check for data structure. -Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.
+Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -25,6 +25,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include #include +#include #include UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 }; @@ -110,182 +111,6 @@ X509VerifyCb ( return Status; } -/** - Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message - Syntax Standard, version 1.5". This interface is only intended to be used for - application to perform PKCS#7 functionality validation. - - @param[in] PrivateKey Pointer to the PEM-formatted private key data for - data signing. - @param[in] PrivateKeySize Size of the PEM private key data in bytes. - @param[in] KeyPassword NULL-terminated passphrase used for encrypted PEM - key data. - @param[in] InData Pointer to the content to be signed. - @param[in] InDataSize Size of InData in bytes. - @param[in] SignCert Pointer to signer's DER-encoded certificate to sign with. - @param[in] OtherCerts Pointer to an optional additional set of certificates to - include in the PKCS#7 signedData (e.g. any intermediate - CAs in the chain). - @param[out] SignedData Pointer to output PKCS#7 signedData. - @param[out] SignedDataSize Size of SignedData in bytes. - - @retval TRUE PKCS#7 data signing succeeded. - @retval FALSE PKCS#7 data signing failed. - -**/ -BOOLEAN -EFIAPI -Pkcs7Sign ( - IN CONST UINT8 *PrivateKey, - IN UINTN PrivateKeySize, - IN CONST UINT8 *KeyPassword, - IN UINT8 *InData, - IN UINTN InDataSize, - IN UINT8 *SignCert, - IN UINT8 *OtherCerts OPTIONAL, - OUT UINT8 **SignedData, - OUT UINTN *SignedDataSize - ) -{ - BOOLEAN Status; - EVP_PKEY *Key; - BIO *DataBio; - PKCS7 *Pkcs7; - UINT8 *RsaContext; - UINT8 *P7Data; - UINTN P7DataSize; - UINT8 *Tmp; - - // - // Check input parameters. - // - if (PrivateKey == NULL || KeyPassword == NULL || InData == NULL || - SignCert == NULL || SignedData == NULL || SignedDataSize == NULL || InDataSize > INT_MAX) { - return FALSE; - } - - RsaContext = NULL; - Key = NULL; - Pkcs7 = NULL; - DataBio = NULL; - Status = FALSE; - - // - // Retrieve RSA private key from PEM data. - // - Status = RsaGetPrivateKeyFromPem ( - PrivateKey, - PrivateKeySize, - (CONST CHAR8 *) KeyPassword, - (VOID **) &RsaContext - ); - if (!Status) { - return Status; - } - - // - // Register & Initialize necessary digest algorithms and PRNG for PKCS#7 Handling - // - EVP_add_digest (EVP_md5()); - EVP_add_digest (EVP_sha1()); - EVP_add_digest (EVP_sha256()); - RandomSeed (NULL, 0); - - // - // Construct OpenSSL EVP_PKEY for private key. - // - Key = EVP_PKEY_new (); - if (Key == NULL) { - Status = FALSE; - goto _Exit; - } - Key->save_type = EVP_PKEY_RSA; - Key->type = EVP_PKEY_type (EVP_PKEY_RSA); - Key->pkey.rsa = (RSA *) RsaContext; - - // - // Convert the data to be signed to BIO format. - // - DataBio = BIO_new (BIO_s_mem ()); - BIO_write (DataBio, InData, (int) InDataSize); - - // - // Create the PKCS#7 signedData structure. - // - Pkcs7 = PKCS7_sign ( - (X509 *) SignCert, - Key, - (STACK_OF(X509) *) OtherCerts, - DataBio, - PKCS7_BINARY | PKCS7_NOATTR | PKCS7_DETACHED - ); - if (Pkcs7 == NULL) { - Status = FALSE; - goto _Exit; - } - - // - // Convert PKCS#7 signedData structure into DER-encoded buffer. - // - P7DataSize = i2d_PKCS7 (Pkcs7, NULL); - if (P7DataSize <= 19) { - Status = FALSE; - goto _Exit; - } - - P7Data = malloc (P7DataSize); - if (P7Data == NULL) { - Status = FALSE; - goto _Exit; - } - - Tmp = P7Data; - P7DataSize = i2d_PKCS7 (Pkcs7, (unsigned char **) &Tmp); - - // - // Strip ContentInfo to content only for signeddata. The data be trimmed off - // is totally 19 bytes. - // - *SignedDataSize = P7DataSize - 19; - *SignedData = malloc (*SignedDataSize); - if (*SignedData == NULL) { - Status = FALSE; - OPENSSL_free (P7Data); - goto _Exit; - } - - CopyMem (*SignedData, P7Data + 19, *SignedDataSize); - - OPENSSL_free (P7Data); - - Status = TRUE; - -_Exit: - // - // Release Resources - // - if (RsaContext != NULL) { - RsaFree (RsaContext); - if (Key != NULL) { - Key->pkey.rsa = NULL; - } - } - - if (Key != NULL) { - EVP_PKEY_free (Key); - } - - if (DataBio != NULL) { - BIO_free (DataBio); - } - - if (Pkcs7 != NULL) { - PKCS7_free (Pkcs7); - } - - return Status; -} - /** Check input P7Data is a wrapped ContentInfo structure or not. If not construct a new structure to wrap P7Data. @@ -394,6 +219,91 @@ WrapPkcs7Data ( return TRUE; } +/** + Pop single certificate from STACK_OF(X509). + + If X509Stack, Cert, or CertSize is NULL, then return FALSE. + + @param[in] X509Stack Pointer to a X509 stack object. + @param[out] Cert Pointer to a X509 certificate. + @param[out] CertSize Length of output X509 certificate in bytes. + + @retval TRUE The X509 stack pop succeeded. + @retval FALSE The pop operation failed. + +**/ +BOOLEAN +X509PopCertificate ( + IN VOID *X509Stack, + OUT UINT8 **Cert, + OUT UINTN *CertSize + ) +{ + BIO *CertBio; + X509 *X509Cert; + STACK_OF(X509) *CertStack; + BOOLEAN Status; + INT32 Result; + INT32 Length; + VOID *Buffer; + + Status = FALSE; + + if ((X509Stack == NULL) || (Cert == NULL) || (CertSize == NULL)) { + return Status; + } + + CertStack = (STACK_OF(X509) *) X509Stack; + + X509Cert = sk_X509_pop (CertStack); + + if (X509Cert == NULL) { + return Status; + } + + Buffer = NULL; + + CertBio = BIO_new (BIO_s_mem ()); + if (CertBio == NULL) { + return Status; + } + + Result = i2d_X509_bio (CertBio, X509Cert); + if (Result == 0) { + goto _Exit; + } + + Length = ((BUF_MEM *) CertBio->ptr)->length; + if (Length <= 0) { + goto _Exit; + } + + Buffer = malloc (Length); + if (Buffer == NULL) { + goto _Exit; + } + + Result = BIO_read (CertBio, Buffer, Length); + if (Result != Length) { + goto _Exit; + } + + *Cert = Buffer; + *CertSize = Length; + + Status = TRUE; + +_Exit: + + BIO_free (CertBio); + + if (!Status && (Buffer != NULL)) { + free (Buffer); + } + + return Status; +} + /** Get the signer's certificates from PKCS#7 signed data as described in "PKCS #7: Cryptographic Message Syntax Standard". The input signed data could be wrapped @@ -634,7 +544,6 @@ Pkcs7Verify ( ) { PKCS7 *Pkcs7; - BIO *CertBio; BIO *DataBio; BOOLEAN Status; X509 *Cert; @@ -653,7 +562,6 @@ Pkcs7Verify ( } Pkcs7 = NULL; - CertBio = NULL; DataBio = NULL; Cert = NULL; CertStore = NULL; @@ -661,10 +569,19 @@ Pkcs7Verify ( // // Register & Initialize necessary digest algorithms for PKCS#7 Handling // - EVP_add_digest (EVP_md5()); - EVP_add_digest (EVP_sha1()); - EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA); - EVP_add_digest (EVP_sha256()); + if (EVP_add_digest (EVP_md5 ()) == 0) { + return FALSE; + } + if (EVP_add_digest (EVP_sha1 ()) == 0) { + return FALSE; + } + if (EVP_add_digest (EVP_sha256 ()) == 0) { + return FALSE; + } + if (EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA) == 0) { + return FALSE; + } + Status = WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &SignedDataSize); if (!Status) { @@ -696,12 +613,7 @@ Pkcs7Verify ( // // Read DER-encoded root certificate and Construct X509 Certificate // - CertBio = BIO_new (BIO_s_mem ()); - BIO_write (CertBio, TrustedCert, (int)CertLength); - if (CertBio == NULL) { - goto _Exit; - } - Cert = d2i_X509_bio (CertBio, NULL); + Cert = d2i_X509 (NULL, &TrustedCert, (long) CertLength); if (Cert == NULL) { goto _Exit; } @@ -728,7 +640,20 @@ Pkcs7Verify ( // in PKCS#7 structure. So ignore NULL checking here. // DataBio = BIO_new (BIO_s_mem ()); - BIO_write (DataBio, InData, (int)DataLength); + if (DataBio == NULL) { + goto _Exit; + } + + if (BIO_write (DataBio, InData, (int) DataLength) <= 0) { + goto _Exit; + } + + // + // OpenSSL PKCS7 Verification by default checks for SMIME (email signing) and + // doesn't support the extended key usage for Authenticode Code Signing. + // Bypass the certificate purpose checking by enabling any purposes setting. + // + X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY); // // Verifies the PKCS#7 signedData structure @@ -740,7 +665,6 @@ _Exit: // Release Resources // BIO_free (DataBio); - BIO_free (CertBio); X509_free (Cert); X509_STORE_free (CertStore); PKCS7_free (Pkcs7); diff --git a/Cryptlib/Pk/CryptPkcs7VerifyNull.c b/Cryptlib/Pk/CryptPkcs7VerifyNull.c new file mode 100644 index 0000000..9a4c77a --- /dev/null +++ b/Cryptlib/Pk/CryptPkcs7VerifyNull.c @@ -0,0 +1,100 @@ +/** @file + PKCS#7 SignedData Verification Wrapper Implementation which does not provide + real capabilities. + +Copyright (c) 2012, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include "InternalCryptLib.h" + +/** + Get the signer's certificates from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard". The input signed data could be wrapped + in a ContentInfo structure. + + Return FALSE to indicate this interface is not supported. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] CertStack Pointer to Signer's certificates retrieved from P7Data. + It's caller's responsiblity to free the buffer. + @param[out] StackLength Length of signer's certificates in bytes. + @param[out] TrustedCert Pointer to a trusted certificate from Signer's certificates. + It's caller's responsiblity to free the buffer. + @param[out] CertLength Length of the trusted certificate in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetSigners ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT UINT8 **CertStack, + OUT UINTN *StackLength, + OUT UINT8 **TrustedCert, + OUT UINTN *CertLength + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Wrap function to use free() to free allocated memory for certificates. + + If the interface is not supported, then ASSERT(). + + @param[in] Certs Pointer to the certificates to be freed. + +**/ +VOID +EFIAPI +Pkcs7FreeSigners ( + IN UINT8 *Certs + ) +{ + ASSERT (FALSE); +} + +/** + Verifies the validility of a PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard". The input signed data could be wrapped + in a ContentInfo structure. + + Return FALSE to indicate this interface is not supported. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which + is used for certificate chain verification. + @param[in] CertLength Length of the trusted certificate in bytes. + @param[in] InData Pointer to the content to be verified. + @param[in] DataLength Length of InData in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Pkcs7Verify ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + IN CONST UINT8 *TrustedCert, + IN UINTN CertLength, + IN CONST UINT8 *InData, + IN UINTN DataLength + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/Cryptlib/Pk/CryptRsaExtNull.c b/Cryptlib/Pk/CryptRsaExtNull.c new file mode 100644 index 0000000..e44cdde --- /dev/null +++ b/Cryptlib/Pk/CryptRsaExtNull.c @@ -0,0 +1,125 @@ +/** @file + RSA Asymmetric Cipher Wrapper Implementation over OpenSSL. + + This file does not provide real capabilities for following APIs in RSA handling: + 1) RsaGetKey + 2) RsaGenerateKey + 3) RsaCheckKey + 4) RsaPkcs1Sign + +Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include "InternalCryptLib.h" + +/** + Gets the tag-designated RSA key component from the established RSA context. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] KeyTag Tag of RSA key component being set. + @param[out] BigNumber Pointer to octet integer buffer. + @param[in, out] BnSize On input, the size of big number buffer in bytes. + On output, the size of data returned in big number buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaGetKey ( + IN OUT VOID *RsaContext, + IN RSA_KEY_TAG KeyTag, + OUT UINT8 *BigNumber, + IN OUT UINTN *BnSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Generates RSA key components. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] ModulusLength Length of RSA modulus N in bits. + @param[in] PublicExponent Pointer to RSA public exponent. + @param[in] PublicExponentSize Size of RSA public exponent buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaGenerateKey ( + IN OUT VOID *RsaContext, + IN UINTN ModulusLength, + IN CONST UINT8 *PublicExponent, + IN UINTN PublicExponentSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Validates key components of RSA context. + + Return FALSE to indicate this interface is not supported. + + @param[in] RsaContext Pointer to RSA context to check. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaCheckKey ( + IN VOID *RsaContext + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Carries out the RSA-SSA signature generation with EMSA-PKCS1-v1_5 encoding scheme. + + Return FALSE to indicate this interface is not supported. + + @param[in] RsaContext Pointer to RSA context for signature generation. + @param[in] MessageHash Pointer to octet message hash to be signed. + @param[in] HashSize Size of the message hash in bytes. + @param[out] Signature Pointer to buffer to receive RSA PKCS1-v1_5 signature. + @param[in, out] SigSize On input, the size of Signature buffer in bytes. + On output, the size of data returned in Signature buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +RsaPkcs1Sign ( + IN VOID *RsaContext, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + + diff --git a/Cryptlib/Rand/CryptRand.c b/Cryptlib/Rand/CryptRand.c index dc3ab99..895ce83 100644 --- a/Cryptlib/Rand/CryptRand.c +++ b/Cryptlib/Rand/CryptRand.c @@ -1,7 +1,7 @@ /** @file Pseudorandom Number Generator Wrapper Implementation over OpenSSL. -Copyright (c) 2010 - 2012, Intel Corporation. All rights reserved.
+Copyright (c) 2010 - 2013, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -14,6 +14,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include "InternalCryptLib.h" #include +#include // // Default seed for UEFI Crypto Library @@ -47,6 +48,14 @@ RandomSeed ( return FALSE; } + // + // The software PRNG implementation built in OpenSSL depends on message digest algorithm. + // Make sure SHA-1 digest algorithm is available here. + // + if (EVP_add_digest (EVP_sha1 ()) == 0) { + return FALSE; + } + // // Seed the pseudorandom number generator with user-supplied value. // NOTE: A cryptographic PRNG must be seeded with unpredictable data. diff --git a/Cryptlib/update.sh b/Cryptlib/update.sh index 96bbece..57b6631 100755 --- a/Cryptlib/update.sh +++ b/Cryptlib/update.sh @@ -13,8 +13,13 @@ cp $DIR/Cipher/CryptAes.c Cipher/CryptAes.c cp $DIR/Cipher/CryptTdes.c Cipher/CryptTdes.c cp $DIR/Cipher/CryptArc4.c Cipher/CryptArc4.c cp $DIR/Rand/CryptRand.c Rand/CryptRand.c -cp $DIR/Pk/CryptRsa.c Pk/CryptRsa.c -cp $DIR/Pk/CryptPkcs7.c Pk/CryptPkcs7.c +cp $DIR/Pk/CryptRsaBasic.c Pk/CryptRsaBasic.c +cp $DIR/Pk/CryptRsaExt.c Pk/CryptRsaExt.c +cp $DIR/Pk/CryptRsaExtNull.c Pk/CryptRsaExtNull.c +cp $DIR/Pk/CryptPkcs7Sign.c Pk/CryptPkcs7Sign.c +cp $DIR/Pk/CryptPkcs7SignNull.c Pk/CryptPkcs7SignNull.c +cp $DIR/Pk/CryptPkcs7Verify.c Pk/CryptPkcs7Verify.c +cp $DIR/Pk/CryptPkcs7VerifyNull.c Pk/CryptPkcs7VerifyNull.c cp $DIR/Pk/CryptDh.c Pk/CryptDh.c cp $DIR/Pk/CryptX509.c Pk/CryptX509.c cp $DIR/Pk/CryptAuthenticode.c Pk/CryptAuthenticode.c From 2220be4e6aa959175230bdf71820c11c150d8b2e Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 21 Jul 2014 16:15:07 -0400 Subject: [PATCH 132/163] Replace build instructions in README with something not completely wrong. These were really, really out of date. --- README | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README b/README index 2977f2a..24a39df 100644 --- a/README +++ b/README @@ -12,5 +12,5 @@ in the shim.h header file and provides a single entry point. On 64-bit systems this entry point expects to be called with SysV ABI rather than MSABI, and so calls to it should not be wrapped. -To use shim, simply place a hex dump of the public certificate in cert.h -and build it with make. \ No newline at end of file +To use shim, simply place a DER-encoded public certificate in a file such as +pub.cer and build with "make VENDOR_CERT_FILE=pub.cer". From 4dabdb22b4d72ac21e9817c3d60711dc03f58059 Mon Sep 17 00:00:00 2001 From: Ard Biesheuvel Date: Tue, 12 Aug 2014 10:54:05 -0400 Subject: [PATCH 133/163] CryptLib: undefine va_arg and friends before redefining them Upstream GNU-EFI contains changes to efistdarg.h resulting in the va_start, va_arg and va_end macros to be #defined unconditionally. Make sure we #undef them before overriding the definitions. Signed-off-by: Ard Biesheuvel --- Cryptlib/Include/OpenSslSupport.h | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Cryptlib/Include/OpenSslSupport.h b/Cryptlib/Include/OpenSslSupport.h index 5a2745d..9e56ced 100644 --- a/Cryptlib/Include/OpenSslSupport.h +++ b/Cryptlib/Include/OpenSslSupport.h @@ -35,6 +35,14 @@ typedef VOID *FILE; // Map all va_xxxx elements to VA_xxx defined in MdePkg/Include/Base.h // #if !defined(__CC_ARM) // if va_list is not already defined +/* + * These are now unconditionally #defined by GNU_EFI's efistdarg.h, + * so we should #undef them here before providing a new definition. + */ +#undef va_arg +#undef va_start +#undef va_end + #define va_list VA_LIST #define va_arg VA_ARG #define va_start VA_START From 277127d1b34778076c07556b11c6cbf917bf6252 Mon Sep 17 00:00:00 2001 From: Ard Biesheuvel Date: Tue, 12 Aug 2014 10:54:05 -0400 Subject: [PATCH 134/163] unhook_system_services: bail on systab == NULL Prevent unhook_system_services() from dereferencing a NULL systab, which may occur if hook_system_services() has never been called. Signed-off-by: Ard Biesheuvel --- replacements.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/replacements.c b/replacements.c index 48dc437..5dfa355 100644 --- a/replacements.c +++ b/replacements.c @@ -70,6 +70,9 @@ static EFI_HANDLE last_loaded_image; void unhook_system_services(void) { + if (!systab) + return; + systab->BootServices->Exit = system_exit; systab->BootServices->LoadImage = system_load_image; systab->BootServices->StartImage = system_start_image; From f7a182154e19e99e1eb88f5fe8111a37e68cda8e Mon Sep 17 00:00:00 2001 From: Ard Biesheuvel Date: Tue, 12 Aug 2014 10:54:05 -0400 Subject: [PATCH 135/163] Factor out x86-isms and add cross compile support This patch cleans up and refactors the Makefiles to better allow new architectures to be added: - remove unused Makefile definitions - import Makefile definitions from top level rather than redefining - move x86 specific CFLAGS to inside ifeq() blocks - remove x86 inline asm - allow $(FORMAT) to be overridden: this is necessary as there exists no EFI or PE/COFF aware objcopy for ARM Signed-off-by: Ard Biesheuvel --- Cryptlib/Makefile | 16 ++++++-------- Cryptlib/OpenSSL/Makefile | 15 ++++++------- Makefile | 45 +++++++++++++++++++++++---------------- lib/Makefile | 14 ++++-------- netboot.c | 10 +-------- 5 files changed, 44 insertions(+), 56 deletions(-) diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile index 678baac..73a1e2b 100644 --- a/Cryptlib/Makefile +++ b/Cryptlib/Makefile @@ -1,19 +1,15 @@ -ARCH = $(shell uname -m | sed s,i[3456789]86,ia32,) -EFI_INCLUDE = /usr/include/efi -EFI_INCLUDES = -nostdinc -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -EFI_PATH = /usr/lib64/gnuefi - -LIB_GCC = $(shell $(CC) -print-libgcc-file-name) -EFI_LIBS = -lefi -lgnuefi $(LIB_GCC) +EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol CFLAGS = -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ - -Wall $(EFI_INCLUDES) -mno-red-zone -maccumulate-outgoing-args -mno-sse -mno-mmx + -Wall $(EFI_INCLUDES) + ifeq ($(ARCH),x86_64) - CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI + CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \ + -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI endif ifeq ($(ARCH),ia32) - CFLAGS += -m32 + CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -m32 endif LDFLAGS = -nostdlib -znocombreloc diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile index 8e2f2a6..9097580 100644 --- a/Cryptlib/OpenSSL/Makefile +++ b/Cryptlib/OpenSSL/Makefile @@ -1,19 +1,16 @@ -ARCH = $(shell uname -m | sed s,i[3456789]86,ia32,) -EFI_INCLUDE = /usr/include/efi EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -EFI_PATH = /usr/lib64/gnuefi -LIB_GCC = $(shell $(CC) -print-libgcc-file-name) -EFI_LIBS = -lefi -lgnuefi $(LIB_GCC) - -CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc -mno-mmx -mno-sse -mno-red-zone -maccumulate-outgoing-args \ +CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \ -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC + ifeq ($(ARCH),x86_64) - CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI -DSIXTY_FOUR_BIT_LONG + CFLAGS += -mno-mmx -mno-sse -mno-red-zone -maccumulate-outgoing-args \ + -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI -DSIXTY_FOUR_BIT_LONG endif ifeq ($(ARCH),ia32) - CFLAGS += -m32 -DTHIRTY_TWO_BIT + CFLAGS += -mno-mmx -mno-sse -mno-red-zone -maccumulate-outgoing-args \ + -m32 -DTHIRTY_TWO_BIT endif LDFLAGS = -nostdlib -znocombreloc diff --git a/Makefile b/Makefile index df190a2..f65bb3b 100644 --- a/Makefile +++ b/Makefile @@ -1,10 +1,14 @@ -ARCH = $(shell uname -m | sed s,i[3456789]86,ia32,) +CC = $(CROSS_COMPILE)gcc +LD = $(CROSS_COMPILE)ld +OBJCOPY = $(CROSS_COMPILE)objcopy + +ARCH = $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,) SUBDIRS = Cryptlib lib LIB_PATH = /usr/lib64 -EFI_INCLUDE = /usr/include/efi +EFI_INCLUDE := /usr/include/efi EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -Iinclude EFI_PATH := /usr/lib64/gnuefi @@ -16,9 +20,7 @@ EFI_LDS = elf_$(ARCH)_efi.lds DEFAULT_LOADER := \\\\grub.efi CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ - -fshort-wchar -Wall -Wsign-compare -Werror \ - -mno-red-zone -maccumulate-outgoing-args \ - -mno-mmx -mno-sse -fno-builtin \ + -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \ $(EFI_INCLUDES) @@ -26,12 +28,15 @@ CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined) CFLAGS += -DOVERRIDE_SECURITY_POLICY endif + ifeq ($(ARCH),x86_64) - CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI + CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \ + -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI endif ifeq ($(ARCH),ia32) - CFLAGS += -m32 + CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -m32 endif + ifneq ($(origin VENDOR_CERT_FILE), undefined) CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\" endif @@ -95,26 +100,28 @@ MokManager.so: $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a Cryptlib/libcryptlib.a: - $(MAKE) -C Cryptlib EFI_PATH=$(EFI_PATH) EFI_INCLUDE=$(EFI_INCLUDE) ARCH=$(ARCH) + $(MAKE) -C Cryptlib Cryptlib/OpenSSL/libopenssl.a: - $(MAKE) -C Cryptlib/OpenSSL EFI_PATH=$(EFI_PATH) EFI_INCLUDE=$(EFI_INCLUDE) ARCH=$(ARCH) + $(MAKE) -C Cryptlib/OpenSSL lib/lib.a: - $(MAKE) -C lib EFI_PATH=$(EFI_PATH) EFI_INCLUDE=$(EFI_INCLUDE) ARCH=$(ARCH) + $(MAKE) -C lib + +FORMAT ?= --target efi-app-$(ARCH) %.efi: %.so - objcopy -j .text -j .sdata -j .data \ - -j .dynamic -j .dynsym -j .rel \ - -j .rela -j .reloc -j .eh_frame \ + $(OBJCOPY) -j .text -j .sdata -j .data \ + -j .dynamic -j .dynsym -j .rel* \ + -j .rela* -j .reloc -j .eh_frame \ -j .vendor_cert \ - --target=efi-app-$(ARCH) $^ $@ - objcopy -j .text -j .sdata -j .data \ - -j .dynamic -j .dynsym -j .rel \ - -j .rela -j .reloc -j .eh_frame \ + $(FORMAT) $^ $@ + $(OBJCOPY) -j .text -j .sdata -j .data \ + -j .dynamic -j .dynsym -j .rel* \ + -j .rela* -j .reloc -j .eh_frame \ -j .debug_info -j .debug_abbrev -j .debug_aranges \ -j .debug_line -j .debug_str -j .debug_ranges \ - --target=efi-app-$(ARCH) $^ $@.debug + $(FORMAT) $^ $@.debug %.efi.signed: %.efi certdb/secmod.db pesign -n certdb -i $< -c "shim" -s -o $@ -f @@ -151,3 +158,5 @@ archive: tag @dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION) @rm -rf /tmp/shim-$(VERSION) @echo "The archive is in shim-$(VERSION).tar.bz2" + +export ARCH CC LD OBJCOPY EFI_INCLUDE diff --git a/lib/Makefile b/lib/Makefile index a9c9cf6..ebd21a1 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -2,23 +2,17 @@ TARGET = lib.a LIBFILES = simple_file.o guid.o console.o execute.o configtable.o shell.o variables.o security_policy.o -ARCH = $(shell uname -m | sed s,i[3456789]86,ia32,) - -EFI_INCLUDE = /usr/include/efi EFI_INCLUDES = -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -I../include -EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o -EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds - CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ - -fshort-wchar -Wall -mno-red-zone -DBUILD_EFI -fno-builtin \ - -Werror \ + -fshort-wchar -Wall -DBUILD_EFI -fno-builtin -Werror \ $(EFI_INCLUDES) + ifeq ($(ARCH),x86_64) - CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI + CFLAGS += -mno-red-zone -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI endif ifeq ($(ARCH),ia32) - CFLAGS += -m32 + CFLAGS += -mno-red-zone -m32 endif lib.a: $(LIBFILES) diff --git a/netboot.c b/netboot.c index 5ef53f7..238937d 100644 --- a/netboot.c +++ b/netboot.c @@ -40,15 +40,7 @@ #include "netboot.h" #include "str.h" -static inline unsigned short int __swap16(unsigned short int x) -{ - __asm__("xchgb %b0,%h0" - : "=q" (x) - : "0" (x)); - return x; -} - -#define ntohs(x) __swap16(x) +#define ntohs(x) __builtin_bswap16(x) /* supported both by GCC and clang */ #define htons(x) ntohs(x) static EFI_PXE_BASE_CODE *pxe; From 9196c7cfbc974dcfdc4f3bde09bf56f1a92723e9 Mon Sep 17 00:00:00 2001 From: Ard Biesheuvel Date: Tue, 12 Aug 2014 10:54:05 -0400 Subject: [PATCH 136/163] Add support for 64-bit ARM (AArch64) This adds support for building the shim for a 64-bit ARM UEFI environment. Signed-off-by: Ard Biesheuvel --- Cryptlib/OpenSSL/Makefile | 3 ++ Makefile | 10 ++++++ elf_aarch64_efi.lds | 65 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 78 insertions(+) create mode 100644 elf_aarch64_efi.lds diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile index 9097580..17b5695 100644 --- a/Cryptlib/OpenSSL/Makefile +++ b/Cryptlib/OpenSSL/Makefile @@ -12,6 +12,9 @@ ifeq ($(ARCH),ia32) CFLAGS += -mno-mmx -mno-sse -mno-red-zone -maccumulate-outgoing-args \ -m32 -DTHIRTY_TWO_BIT endif +ifeq ($(ARCH),aarch64) + CFLAGS += -O2 -DSIXTY_FOUR_BIT_LONG -ffreestanding -I$(shell $(CC) -print-file-name=include) +endif LDFLAGS = -nostdlib -znocombreloc TARGET = libopenssl.a diff --git a/Makefile b/Makefile index f65bb3b..3529b45 100644 --- a/Makefile +++ b/Makefile @@ -37,6 +37,10 @@ ifeq ($(ARCH),ia32) CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -m32 endif +ifeq ($(ARCH),aarch64) + CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include) +endif + ifneq ($(origin VENDOR_CERT_FILE), undefined) CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\" endif @@ -108,6 +112,12 @@ Cryptlib/OpenSSL/libopenssl.a: lib/lib.a: $(MAKE) -C lib +ifeq ($(ARCH),aarch64) +FORMAT := -O binary +SUBSYSTEM := 0xa +LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) +endif + FORMAT ?= --target efi-app-$(ARCH) %.efi: %.so diff --git a/elf_aarch64_efi.lds b/elf_aarch64_efi.lds new file mode 100644 index 0000000..9c9a055 --- /dev/null +++ b/elf_aarch64_efi.lds @@ -0,0 +1,65 @@ +OUTPUT_FORMAT("elf64-littleaarch64", "elf64-littleaarch64", "elf64-littleaarch64") +OUTPUT_ARCH(aarch64) +ENTRY(_start) +SECTIONS +{ + .text 0x0 : { + *(.text.head) + *(.text) + *(.text.*) + *(.gnu.linkonce.t.*) + *(.srodata) + *(.rodata*) + . = ALIGN(16); + _etext = .; + } + .dynamic : { *(.dynamic) } + .data : + { + *(.sdata) + *(.data) + *(.data1) + *(.data.*) + *(.got.plt) + *(.got) + + /* the EFI loader doesn't seem to like a .bss section, so we stick + it all into .data: */ + . = ALIGN(16); + _bss = .; + *(.sbss) + *(.scommon) + *(.dynbss) + *(.bss) + *(COMMON) + . = ALIGN(16); + _bss_end = .; + } + + . = ALIGN(4096); + .vendor_cert : + { + *(.vendor_cert) + } + . = ALIGN(4096); + + .rela.dyn : { *(.rela.dyn) } + .rela.plt : { *(.rela.plt) } + .rela.got : { *(.rela.got) } + .rela.data : { *(.rela.data) *(.rela.data*) } + _edata = .; + _data_size = . - _etext; + + . = ALIGN(4096); + .dynsym : { *(.dynsym) } + . = ALIGN(4096); + .dynstr : { *(.dynstr) } + . = ALIGN(4096); + /DISCARD/ : + { + *(.rel.reloc) + *(.eh_frame) + *(.note.GNU-stack) + } + .comment 0 : { *(.comment) } +} From 221faac51bc430c0bac3b26ff65b75ab6f24da58 Mon Sep 17 00:00:00 2001 From: Ard Biesheuvel Date: Tue, 12 Aug 2014 10:54:05 -0400 Subject: [PATCH 137/163] Add support for 32-bit ARM This adds support for building the shim for a 32-bit ARM UEFI environment. Signed-off-by: Ard Biesheuvel --- Cryptlib/OpenSSL/Makefile | 3 ++ Makefile | 10 ++++++ cert.S | 30 +++++++++--------- elf_arm_efi.lds | 65 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 92 insertions(+), 16 deletions(-) create mode 100644 elf_arm_efi.lds diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile index 17b5695..7990b3c 100644 --- a/Cryptlib/OpenSSL/Makefile +++ b/Cryptlib/OpenSSL/Makefile @@ -15,6 +15,9 @@ endif ifeq ($(ARCH),aarch64) CFLAGS += -O2 -DSIXTY_FOUR_BIT_LONG -ffreestanding -I$(shell $(CC) -print-file-name=include) endif +ifeq ($(ARCH),arm) + CFLAGS += -O2 -DTHIRTY_TWO_BIT -ffreestanding -I$(shell $(CC) -print-file-name=include) +endif LDFLAGS = -nostdlib -znocombreloc TARGET = libopenssl.a diff --git a/Makefile b/Makefile index 3529b45..5bc513c 100644 --- a/Makefile +++ b/Makefile @@ -41,6 +41,10 @@ ifeq ($(ARCH),aarch64) CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include) endif +ifeq ($(ARCH),arm) + CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include) +endif + ifneq ($(origin VENDOR_CERT_FILE), undefined) CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\" endif @@ -118,6 +122,12 @@ SUBSYSTEM := 0xa LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) endif +ifeq ($(ARCH),arm) +FORMAT := -O binary +SUBSYSTEM := 0xa +LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) +endif + FORMAT ?= --target efi-app-$(ARCH) %.efi: %.so diff --git a/cert.S b/cert.S index 3cfd665..cfc4525 100644 --- a/cert.S +++ b/cert.S @@ -1,9 +1,7 @@ .globl cert_table - .data - .align 16 - .type cert_table, @object + .type cert_table, %object .size cert_table, 4 - .section .vendor_cert, "a", @progbits + .section .vendor_cert, "a", %progbits cert_table: #if defined(VENDOR_CERT_FILE) .long vendor_cert_priv_end - vendor_cert_priv @@ -20,48 +18,48 @@ cert_table: #if defined(VENDOR_CERT_FILE) .data .align 1 - .type vendor_cert_priv, @object + .type vendor_cert_priv, %object .size vendor_cert_priv, vendor_cert_priv_end-vendor_cert_priv - .section .vendor_cert, "a", @progbits + .section .vendor_cert, "a", %progbits vendor_cert_priv: .incbin VENDOR_CERT_FILE vendor_cert_priv_end: #else .bss - .type vendor_cert_priv, @object + .type vendor_cert_priv, %object .size vendor_cert_priv, 1 - .section .vendor_cert, "a", @progbits + .section .vendor_cert, "a", %progbits vendor_cert_priv: .zero 1 .data .align 4 - .type vendor_cert_size_priv, @object + .type vendor_cert_size_priv, %object .size vendor_cert_size_priv, 4 - .section .vendor_cert, "a", @progbits + .section .vendor_cert, "a", %progbits vendor_cert_priv_end: #endif #if defined(VENDOR_DBX_FILE) .data .align 1 - .type vendor_dbx_priv, @object + .type vendor_dbx_priv, %object .size vendor_dbx_priv, vendor_dbx_priv_end-vendor_dbx_priv - .section .vendor_cert, "a", @progbits + .section .vendor_cert, "a", %progbits vendor_dbx_priv: .incbin VENDOR_DBX_FILE vendor_dbx_priv_end: #else .bss - .type vendor_dbx_priv, @object + .type vendor_dbx_priv, %object .size vendor_dbx_priv, 1 - .section .vendor_cert, "a", @progbits + .section .vendor_cert, "a", %progbits vendor_dbx_priv: .zero 1 .data .align 4 - .type vendor_dbx_size_priv, @object + .type vendor_dbx_size_priv, %object .size vendor_dbx_size_priv, 4 - .section .vendor_cert, "a", @progbits + .section .vendor_cert, "a", %progbits vendor_dbx_priv_end: #endif diff --git a/elf_arm_efi.lds b/elf_arm_efi.lds new file mode 100644 index 0000000..fd1075d --- /dev/null +++ b/elf_arm_efi.lds @@ -0,0 +1,65 @@ +OUTPUT_FORMAT("elf32-littlearm", "elf32-littlearm", "elf32-littlearm") +OUTPUT_ARCH(arm) +ENTRY(_start) +SECTIONS +{ + .text 0x0 : { + *(.text.head) + *(.text) + *(.text.*) + *(.gnu.linkonce.t.*) + *(.srodata) + *(.rodata*) + . = ALIGN(16); + _etext = .; + } + .dynamic : { *(.dynamic) } + .data : + { + *(.sdata) + *(.data) + *(.data1) + *(.data) + *(.got.plt) + *(.got) + + /* the EFI loader doesn't seem to like a .bss section, so we stick + it all into .data: */ + . = ALIGN(16); + _bss = .; + *(.sbss) + *(.scommon) + *(.dynbss) + *(.bss) + *(COMMON) + . = ALIGN(16); + _bss_end = .; + } + + . = ALIGN(4096); + .vendor_cert : + { + *(.vendor_cert) + } + . = ALIGN(4096); + + .rel.dyn : { *(.rel.dyn) } + .rel.plt : { *(.rel.plt) } + .rel.got : { *(.rel.got) } + .rel.data : { *(.rel.data) *(.rel.data*) } + _edata = .; + _data_size = . - _etext; + + . = ALIGN(4096); + .dynsym : { *(.dynsym) } + . = ALIGN(4096); + .dynstr : { *(.dynstr) } + . = ALIGN(4096); + /DISCARD/ : + { + *(.rel.reloc) + *(.eh_frame) + *(.note.GNU-stack) + } + .comment 0 : { *(.comment) } +} From 5cbe75a3facfe8256454595ca3abbff7ad6076b0 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Tue, 19 Aug 2014 14:20:23 -0400 Subject: [PATCH 138/163] Update openssl to 0.9.8zb Also update to Tiano Cryptlib r15802 and remove the execute mode bits from the C and header files of openssl --- Cryptlib/OpenSSL/crypto/aes/aes_cbc.c | 0 Cryptlib/OpenSSL/crypto/aes/aes_cfb.c | 0 Cryptlib/OpenSSL/crypto/aes/aes_core.c | 0 Cryptlib/OpenSSL/crypto/aes/aes_ctr.c | 0 Cryptlib/OpenSSL/crypto/aes/aes_ecb.c | 0 Cryptlib/OpenSSL/crypto/aes/aes_ige.c | 0 Cryptlib/OpenSSL/crypto/aes/aes_misc.c | 0 Cryptlib/OpenSSL/crypto/aes/aes_ofb.c | 0 Cryptlib/OpenSSL/crypto/aes/aes_wrap.c | 0 Cryptlib/OpenSSL/crypto/asn1/a_bitstr.c | 0 Cryptlib/OpenSSL/crypto/asn1/a_bool.c | 0 Cryptlib/OpenSSL/crypto/asn1/a_bytes.c | 0 Cryptlib/OpenSSL/crypto/asn1/a_d2i_fp.c | 0 Cryptlib/OpenSSL/crypto/asn1/a_digest.c | 0 Cryptlib/OpenSSL/crypto/asn1/a_dup.c | 0 Cryptlib/OpenSSL/crypto/asn1/a_enum.c | 0 Cryptlib/OpenSSL/crypto/asn1/a_gentm.c | 0 Cryptlib/OpenSSL/crypto/asn1/a_hdr.c | 0 Cryptlib/OpenSSL/crypto/asn1/a_i2d_fp.c | 0 Cryptlib/OpenSSL/crypto/asn1/a_int.c | 0 Cryptlib/OpenSSL/crypto/asn1/a_mbstr.c | 0 Cryptlib/OpenSSL/crypto/asn1/a_meth.c | 0 Cryptlib/OpenSSL/crypto/asn1/a_object.c | 30 +- Cryptlib/OpenSSL/crypto/asn1/a_octet.c | 0 Cryptlib/OpenSSL/crypto/asn1/a_print.c | 0 Cryptlib/OpenSSL/crypto/asn1/a_set.c | 0 Cryptlib/OpenSSL/crypto/asn1/a_sign.c | 0 Cryptlib/OpenSSL/crypto/asn1/a_strex.c | 0 Cryptlib/OpenSSL/crypto/asn1/a_strnid.c | 0 Cryptlib/OpenSSL/crypto/asn1/a_time.c | 0 Cryptlib/OpenSSL/crypto/asn1/a_type.c | 0 Cryptlib/OpenSSL/crypto/asn1/a_utctm.c | 0 Cryptlib/OpenSSL/crypto/asn1/a_utf8.c | 0 Cryptlib/OpenSSL/crypto/asn1/a_verify.c | 0 Cryptlib/OpenSSL/crypto/asn1/asn1_err.c | 0 Cryptlib/OpenSSL/crypto/asn1/asn1_gen.c | 0 Cryptlib/OpenSSL/crypto/asn1/asn1_lib.c | 3 + Cryptlib/OpenSSL/crypto/asn1/asn1_par.c | 0 Cryptlib/OpenSSL/crypto/asn1/asn_mime.c | 2 + Cryptlib/OpenSSL/crypto/asn1/asn_moid.c | 0 Cryptlib/OpenSSL/crypto/asn1/asn_pack.c | 12 +- Cryptlib/OpenSSL/crypto/asn1/d2i_pr.c | 0 Cryptlib/OpenSSL/crypto/asn1/d2i_pu.c | 0 Cryptlib/OpenSSL/crypto/asn1/evp_asn1.c | 6 +- Cryptlib/OpenSSL/crypto/asn1/f_enum.c | 0 Cryptlib/OpenSSL/crypto/asn1/f_int.c | 0 Cryptlib/OpenSSL/crypto/asn1/f_string.c | 0 Cryptlib/OpenSSL/crypto/asn1/i2d_pr.c | 0 Cryptlib/OpenSSL/crypto/asn1/i2d_pu.c | 0 Cryptlib/OpenSSL/crypto/asn1/n_pkey.c | 0 Cryptlib/OpenSSL/crypto/asn1/nsseq.c | 0 Cryptlib/OpenSSL/crypto/asn1/p5_pbe.c | 0 Cryptlib/OpenSSL/crypto/asn1/p5_pbev2.c | 0 Cryptlib/OpenSSL/crypto/asn1/p8_pkey.c | 0 Cryptlib/OpenSSL/crypto/asn1/t_bitst.c | 0 Cryptlib/OpenSSL/crypto/asn1/t_crl.c | 0 Cryptlib/OpenSSL/crypto/asn1/t_pkey.c | 0 Cryptlib/OpenSSL/crypto/asn1/t_req.c | 0 Cryptlib/OpenSSL/crypto/asn1/t_spki.c | 0 Cryptlib/OpenSSL/crypto/asn1/t_x509.c | 2 + Cryptlib/OpenSSL/crypto/asn1/t_x509a.c | 0 Cryptlib/OpenSSL/crypto/asn1/tasn_dec.c | 0 Cryptlib/OpenSSL/crypto/asn1/tasn_enc.c | 9 +- Cryptlib/OpenSSL/crypto/asn1/tasn_fre.c | 0 Cryptlib/OpenSSL/crypto/asn1/tasn_new.c | 0 Cryptlib/OpenSSL/crypto/asn1/tasn_typ.c | 0 Cryptlib/OpenSSL/crypto/asn1/tasn_utl.c | 0 Cryptlib/OpenSSL/crypto/asn1/x_algor.c | 0 Cryptlib/OpenSSL/crypto/asn1/x_attrib.c | 0 Cryptlib/OpenSSL/crypto/asn1/x_bignum.c | 0 Cryptlib/OpenSSL/crypto/asn1/x_crl.c | 0 Cryptlib/OpenSSL/crypto/asn1/x_exten.c | 0 Cryptlib/OpenSSL/crypto/asn1/x_info.c | 0 Cryptlib/OpenSSL/crypto/asn1/x_long.c | 0 Cryptlib/OpenSSL/crypto/asn1/x_name.c | 0 Cryptlib/OpenSSL/crypto/asn1/x_pkey.c | 0 Cryptlib/OpenSSL/crypto/asn1/x_pubkey.c | 0 Cryptlib/OpenSSL/crypto/asn1/x_req.c | 0 Cryptlib/OpenSSL/crypto/asn1/x_sig.c | 0 Cryptlib/OpenSSL/crypto/asn1/x_spki.c | 0 Cryptlib/OpenSSL/crypto/asn1/x_val.c | 0 Cryptlib/OpenSSL/crypto/asn1/x_x509.c | 0 Cryptlib/OpenSSL/crypto/asn1/x_x509a.c | 0 Cryptlib/OpenSSL/crypto/bf/bf_cfb64.c | 0 Cryptlib/OpenSSL/crypto/bf/bf_ecb.c | 0 Cryptlib/OpenSSL/crypto/bf/bf_enc.c | 0 Cryptlib/OpenSSL/crypto/bf/bf_ofb64.c | 0 Cryptlib/OpenSSL/crypto/bf/bf_skey.c | 0 Cryptlib/OpenSSL/crypto/bio/b_dump.c | 0 Cryptlib/OpenSSL/crypto/bio/bf_buff.c | 0 Cryptlib/OpenSSL/crypto/bio/bf_nbio.c | 0 Cryptlib/OpenSSL/crypto/bio/bf_null.c | 0 Cryptlib/OpenSSL/crypto/bio/bio_cb.c | 0 Cryptlib/OpenSSL/crypto/bio/bio_err.c | 0 Cryptlib/OpenSSL/crypto/bio/bio_lib.c | 4 +- Cryptlib/OpenSSL/crypto/bio/bss_bio.c | 0 Cryptlib/OpenSSL/crypto/bio/bss_dgram.c | 0 Cryptlib/OpenSSL/crypto/bio/bss_fd.c | 0 Cryptlib/OpenSSL/crypto/bio/bss_file.c | 0 Cryptlib/OpenSSL/crypto/bio/bss_log.c | 0 Cryptlib/OpenSSL/crypto/bio/bss_mem.c | 0 Cryptlib/OpenSSL/crypto/bio/bss_null.c | 0 Cryptlib/OpenSSL/crypto/bn/bn_add.c | 0 Cryptlib/OpenSSL/crypto/bn/bn_asm.c | 0 Cryptlib/OpenSSL/crypto/bn/bn_blind.c | 0 Cryptlib/OpenSSL/crypto/bn/bn_const.c | 0 Cryptlib/OpenSSL/crypto/bn/bn_ctx.c | 0 Cryptlib/OpenSSL/crypto/bn/bn_depr.c | 0 Cryptlib/OpenSSL/crypto/bn/bn_div.c | 0 Cryptlib/OpenSSL/crypto/bn/bn_err.c | 0 Cryptlib/OpenSSL/crypto/bn/bn_exp.c | 0 Cryptlib/OpenSSL/crypto/bn/bn_exp2.c | 0 Cryptlib/OpenSSL/crypto/bn/bn_gcd.c | 0 Cryptlib/OpenSSL/crypto/bn/bn_gf2m.c | 51 + Cryptlib/OpenSSL/crypto/bn/bn_kron.c | 0 Cryptlib/OpenSSL/crypto/bn/bn_lib.c | 61 +- Cryptlib/OpenSSL/crypto/bn/bn_mod.c | 0 Cryptlib/OpenSSL/crypto/bn/bn_mont.c | 0 Cryptlib/OpenSSL/crypto/bn/bn_mpi.c | 0 Cryptlib/OpenSSL/crypto/bn/bn_mul.c | 0 Cryptlib/OpenSSL/crypto/bn/bn_nist.c | 0 Cryptlib/OpenSSL/crypto/bn/bn_opt.c | 0 Cryptlib/OpenSSL/crypto/bn/bn_prime.c | 0 Cryptlib/OpenSSL/crypto/bn/bn_print.c | 0 Cryptlib/OpenSSL/crypto/bn/bn_rand.c | 0 Cryptlib/OpenSSL/crypto/bn/bn_recp.c | 0 Cryptlib/OpenSSL/crypto/bn/bn_shift.c | 0 Cryptlib/OpenSSL/crypto/bn/bn_sqr.c | 1 + Cryptlib/OpenSSL/crypto/bn/bn_sqrt.c | 0 Cryptlib/OpenSSL/crypto/bn/bn_word.c | 0 Cryptlib/OpenSSL/crypto/bn/bn_x931p.c | 0 Cryptlib/OpenSSL/crypto/buffer/buf_err.c | 0 Cryptlib/OpenSSL/crypto/buffer/buf_str.c | 0 Cryptlib/OpenSSL/crypto/buffer/buffer.c | 0 Cryptlib/OpenSSL/crypto/cast/c_cfb64.c | 0 Cryptlib/OpenSSL/crypto/cast/c_ecb.c | 0 Cryptlib/OpenSSL/crypto/cast/c_enc.c | 0 Cryptlib/OpenSSL/crypto/cast/c_ofb64.c | 0 Cryptlib/OpenSSL/crypto/cast/c_skey.c | 0 Cryptlib/OpenSSL/crypto/comp/c_rle.c | 0 Cryptlib/OpenSSL/crypto/comp/c_zlib.c | 0 Cryptlib/OpenSSL/crypto/comp/comp_err.c | 0 Cryptlib/OpenSSL/crypto/comp/comp_lib.c | 0 Cryptlib/OpenSSL/crypto/conf/conf_api.c | 2 +- Cryptlib/OpenSSL/crypto/conf/conf_def.c | 2 +- Cryptlib/OpenSSL/crypto/conf/conf_err.c | 0 Cryptlib/OpenSSL/crypto/conf/conf_lib.c | 0 Cryptlib/OpenSSL/crypto/conf/conf_mall.c | 0 Cryptlib/OpenSSL/crypto/conf/conf_mod.c | 0 Cryptlib/OpenSSL/crypto/conf/conf_sap.c | 0 Cryptlib/OpenSSL/crypto/cpt_err.c | 0 Cryptlib/OpenSSL/crypto/cryptlib.c | 0 Cryptlib/OpenSSL/crypto/cversion.c | 0 Cryptlib/OpenSSL/crypto/des/cbc_cksm.c | 0 Cryptlib/OpenSSL/crypto/des/cbc_enc.c | 0 Cryptlib/OpenSSL/crypto/des/cfb64ede.c | 0 Cryptlib/OpenSSL/crypto/des/cfb64enc.c | 0 Cryptlib/OpenSSL/crypto/des/cfb_enc.c | 0 Cryptlib/OpenSSL/crypto/des/des_enc.c | 0 Cryptlib/OpenSSL/crypto/des/des_lib.c | 0 Cryptlib/OpenSSL/crypto/des/des_old.c | 0 Cryptlib/OpenSSL/crypto/des/des_old2.c | 0 Cryptlib/OpenSSL/crypto/des/ecb3_enc.c | 0 Cryptlib/OpenSSL/crypto/des/ecb_enc.c | 0 Cryptlib/OpenSSL/crypto/des/ede_cbcm_enc.c | 0 Cryptlib/OpenSSL/crypto/des/enc_read.c | 0 Cryptlib/OpenSSL/crypto/des/enc_writ.c | 0 Cryptlib/OpenSSL/crypto/des/fcrypt.c | 0 Cryptlib/OpenSSL/crypto/des/fcrypt_b.c | 0 Cryptlib/OpenSSL/crypto/des/ofb64ede.c | 0 Cryptlib/OpenSSL/crypto/des/ofb64enc.c | 0 Cryptlib/OpenSSL/crypto/des/ofb_enc.c | 0 Cryptlib/OpenSSL/crypto/des/pcbc_enc.c | 0 Cryptlib/OpenSSL/crypto/des/qud_cksm.c | 0 Cryptlib/OpenSSL/crypto/des/rand_key.c | 0 Cryptlib/OpenSSL/crypto/des/read2pwd.c | 0 Cryptlib/OpenSSL/crypto/des/rpc_enc.c | 0 Cryptlib/OpenSSL/crypto/des/set_key.c | 0 Cryptlib/OpenSSL/crypto/des/str2key.c | 0 Cryptlib/OpenSSL/crypto/des/xcbc_enc.c | 0 Cryptlib/OpenSSL/crypto/dh/dh_asn1.c | 0 Cryptlib/OpenSSL/crypto/dh/dh_check.c | 0 Cryptlib/OpenSSL/crypto/dh/dh_depr.c | 0 Cryptlib/OpenSSL/crypto/dh/dh_err.c | 0 Cryptlib/OpenSSL/crypto/dh/dh_gen.c | 0 Cryptlib/OpenSSL/crypto/dh/dh_key.c | 0 Cryptlib/OpenSSL/crypto/dh/dh_lib.c | 0 Cryptlib/OpenSSL/crypto/dsa/dsa_asn1.c | 0 Cryptlib/OpenSSL/crypto/dsa/dsa_depr.c | 0 Cryptlib/OpenSSL/crypto/dsa/dsa_err.c | 0 Cryptlib/OpenSSL/crypto/dsa/dsa_gen.c | 0 Cryptlib/OpenSSL/crypto/dsa/dsa_key.c | 0 Cryptlib/OpenSSL/crypto/dsa/dsa_lib.c | 0 Cryptlib/OpenSSL/crypto/dsa/dsa_ossl.c | 0 Cryptlib/OpenSSL/crypto/dsa/dsa_sign.c | 0 Cryptlib/OpenSSL/crypto/dsa/dsa_utl.c | 0 Cryptlib/OpenSSL/crypto/dsa/dsa_vrf.c | 0 Cryptlib/OpenSSL/crypto/dso/dso_dl.c | 0 Cryptlib/OpenSSL/crypto/dso/dso_dlfcn.c | 0 Cryptlib/OpenSSL/crypto/dso/dso_err.c | 0 Cryptlib/OpenSSL/crypto/dso/dso_lib.c | 0 Cryptlib/OpenSSL/crypto/dso/dso_null.c | 0 Cryptlib/OpenSSL/crypto/dso/dso_openssl.c | 0 Cryptlib/OpenSSL/crypto/dso/dso_vms.c | 0 Cryptlib/OpenSSL/crypto/dso/dso_win32.c | 0 Cryptlib/OpenSSL/crypto/dyn_lck.c | 0 Cryptlib/OpenSSL/crypto/ebcdic.c | 0 Cryptlib/OpenSSL/crypto/ec/ec2_mult.c | 0 Cryptlib/OpenSSL/crypto/ec/ec2_smpl.c | 0 Cryptlib/OpenSSL/crypto/ec/ec_asn1.c | 0 Cryptlib/OpenSSL/crypto/ec/ec_check.c | 0 Cryptlib/OpenSSL/crypto/ec/ec_curve.c | 0 Cryptlib/OpenSSL/crypto/ec/ec_cvt.c | 0 Cryptlib/OpenSSL/crypto/ec/ec_err.c | 0 Cryptlib/OpenSSL/crypto/ec/ec_key.c | 0 Cryptlib/OpenSSL/crypto/ec/ec_lib.c | 2 +- Cryptlib/OpenSSL/crypto/ec/ec_mult.c | 0 Cryptlib/OpenSSL/crypto/ec/ec_print.c | 0 Cryptlib/OpenSSL/crypto/ec/ecp_mont.c | 0 Cryptlib/OpenSSL/crypto/ec/ecp_nist.c | 0 Cryptlib/OpenSSL/crypto/ec/ecp_smpl.c | 190 ++-- Cryptlib/OpenSSL/crypto/ecdh/ech_err.c | 0 Cryptlib/OpenSSL/crypto/ecdh/ech_key.c | 0 Cryptlib/OpenSSL/crypto/ecdh/ech_lib.c | 0 Cryptlib/OpenSSL/crypto/ecdh/ech_ossl.c | 0 Cryptlib/OpenSSL/crypto/ecdsa/ecs_asn1.c | 0 Cryptlib/OpenSSL/crypto/ecdsa/ecs_err.c | 0 Cryptlib/OpenSSL/crypto/ecdsa/ecs_lib.c | 0 Cryptlib/OpenSSL/crypto/ecdsa/ecs_ossl.c | 0 Cryptlib/OpenSSL/crypto/ecdsa/ecs_sign.c | 0 Cryptlib/OpenSSL/crypto/ecdsa/ecs_vrf.c | 0 Cryptlib/OpenSSL/crypto/engine/eng_all.c | 0 Cryptlib/OpenSSL/crypto/engine/eng_cnf.c | 0 .../OpenSSL/crypto/engine/eng_cryptodev.c | 0 Cryptlib/OpenSSL/crypto/engine/eng_ctrl.c | 0 Cryptlib/OpenSSL/crypto/engine/eng_dyn.c | 0 Cryptlib/OpenSSL/crypto/engine/eng_err.c | 0 Cryptlib/OpenSSL/crypto/engine/eng_fat.c | 0 Cryptlib/OpenSSL/crypto/engine/eng_init.c | 0 Cryptlib/OpenSSL/crypto/engine/eng_lib.c | 0 Cryptlib/OpenSSL/crypto/engine/eng_list.c | 0 Cryptlib/OpenSSL/crypto/engine/eng_openssl.c | 0 Cryptlib/OpenSSL/crypto/engine/eng_padlock.c | 0 Cryptlib/OpenSSL/crypto/engine/eng_pkey.c | 0 Cryptlib/OpenSSL/crypto/engine/eng_table.c | 0 Cryptlib/OpenSSL/crypto/engine/tb_cipher.c | 0 Cryptlib/OpenSSL/crypto/engine/tb_dh.c | 0 Cryptlib/OpenSSL/crypto/engine/tb_digest.c | 0 Cryptlib/OpenSSL/crypto/engine/tb_dsa.c | 0 Cryptlib/OpenSSL/crypto/engine/tb_ecdh.c | 0 Cryptlib/OpenSSL/crypto/engine/tb_ecdsa.c | 0 Cryptlib/OpenSSL/crypto/engine/tb_rand.c | 0 Cryptlib/OpenSSL/crypto/engine/tb_rsa.c | 0 Cryptlib/OpenSSL/crypto/engine/tb_store.c | 0 Cryptlib/OpenSSL/crypto/err/err.c | 0 Cryptlib/OpenSSL/crypto/err/err_all.c | 0 Cryptlib/OpenSSL/crypto/err/err_bio.c | 0 Cryptlib/OpenSSL/crypto/err/err_def.c | 0 Cryptlib/OpenSSL/crypto/err/err_prn.c | 0 Cryptlib/OpenSSL/crypto/err/err_str.c | 0 Cryptlib/OpenSSL/crypto/evp/bio_b64.c | 0 Cryptlib/OpenSSL/crypto/evp/bio_enc.c | 0 Cryptlib/OpenSSL/crypto/evp/bio_md.c | 0 Cryptlib/OpenSSL/crypto/evp/bio_ok.c | 0 Cryptlib/OpenSSL/crypto/evp/c_all.c | 0 Cryptlib/OpenSSL/crypto/evp/c_allc.c | 0 Cryptlib/OpenSSL/crypto/evp/c_alld.c | 0 Cryptlib/OpenSSL/crypto/evp/dig_eng.c | 0 Cryptlib/OpenSSL/crypto/evp/digest.c | 0 Cryptlib/OpenSSL/crypto/evp/e_aes.c | 0 Cryptlib/OpenSSL/crypto/evp/e_bf.c | 0 Cryptlib/OpenSSL/crypto/evp/e_cast.c | 0 Cryptlib/OpenSSL/crypto/evp/e_des.c | 0 Cryptlib/OpenSSL/crypto/evp/e_des3.c | 0 Cryptlib/OpenSSL/crypto/evp/e_idea.c | 0 Cryptlib/OpenSSL/crypto/evp/e_null.c | 0 Cryptlib/OpenSSL/crypto/evp/e_old.c | 0 Cryptlib/OpenSSL/crypto/evp/e_rc2.c | 0 Cryptlib/OpenSSL/crypto/evp/e_rc4.c | 0 Cryptlib/OpenSSL/crypto/evp/e_rc5.c | 0 Cryptlib/OpenSSL/crypto/evp/e_xcbc_d.c | 0 Cryptlib/OpenSSL/crypto/evp/enc_min.c | 0 Cryptlib/OpenSSL/crypto/evp/encode.c | 0 Cryptlib/OpenSSL/crypto/evp/evp_acnf.c | 0 Cryptlib/OpenSSL/crypto/evp/evp_cnf.c | 0 Cryptlib/OpenSSL/crypto/evp/evp_enc.c | 0 Cryptlib/OpenSSL/crypto/evp/evp_err.c | 0 Cryptlib/OpenSSL/crypto/evp/evp_key.c | 0 Cryptlib/OpenSSL/crypto/evp/evp_lib.c | 0 Cryptlib/OpenSSL/crypto/evp/evp_pbe.c | 0 Cryptlib/OpenSSL/crypto/evp/evp_pkey.c | 0 Cryptlib/OpenSSL/crypto/evp/m_dss.c | 0 Cryptlib/OpenSSL/crypto/evp/m_dss1.c | 0 Cryptlib/OpenSSL/crypto/evp/m_ecdsa.c | 0 Cryptlib/OpenSSL/crypto/evp/m_md2.c | 0 Cryptlib/OpenSSL/crypto/evp/m_md4.c | 0 Cryptlib/OpenSSL/crypto/evp/m_md5.c | 0 Cryptlib/OpenSSL/crypto/evp/m_null.c | 0 Cryptlib/OpenSSL/crypto/evp/m_ripemd.c | 0 Cryptlib/OpenSSL/crypto/evp/m_sha.c | 0 Cryptlib/OpenSSL/crypto/evp/m_sha1.c | 0 Cryptlib/OpenSSL/crypto/evp/names.c | 0 Cryptlib/OpenSSL/crypto/evp/p5_crpt.c | 0 Cryptlib/OpenSSL/crypto/evp/p5_crpt2.c | 0 Cryptlib/OpenSSL/crypto/evp/p_dec.c | 0 Cryptlib/OpenSSL/crypto/evp/p_enc.c | 0 Cryptlib/OpenSSL/crypto/evp/p_lib.c | 0 Cryptlib/OpenSSL/crypto/evp/p_open.c | 0 Cryptlib/OpenSSL/crypto/evp/p_seal.c | 0 Cryptlib/OpenSSL/crypto/evp/p_sign.c | 0 Cryptlib/OpenSSL/crypto/evp/p_verify.c | 0 Cryptlib/OpenSSL/crypto/ex_data.c | 0 Cryptlib/OpenSSL/crypto/fips_err.c | 0 Cryptlib/OpenSSL/crypto/hmac/hmac.c | 0 Cryptlib/OpenSSL/crypto/idea/i_cbc.c | 0 Cryptlib/OpenSSL/crypto/idea/i_cfb64.c | 0 Cryptlib/OpenSSL/crypto/idea/i_ecb.c | 0 Cryptlib/OpenSSL/crypto/idea/i_ofb64.c | 0 Cryptlib/OpenSSL/crypto/idea/i_skey.c | 0 Cryptlib/OpenSSL/crypto/krb5/krb5_asn.c | 0 Cryptlib/OpenSSL/crypto/lhash/lh_stats.c | 0 Cryptlib/OpenSSL/crypto/lhash/lhash.c | 0 Cryptlib/OpenSSL/crypto/md2/md2_dgst.c | 0 Cryptlib/OpenSSL/crypto/md2/md2_one.c | 0 Cryptlib/OpenSSL/crypto/md4/md4_dgst.c | 0 Cryptlib/OpenSSL/crypto/md4/md4_one.c | 0 Cryptlib/OpenSSL/crypto/md5/md5_dgst.c | 0 Cryptlib/OpenSSL/crypto/md5/md5_one.c | 0 Cryptlib/OpenSSL/crypto/mem.c | 0 Cryptlib/OpenSSL/crypto/mem_clr.c | 0 Cryptlib/OpenSSL/crypto/mem_dbg.c | 0 Cryptlib/OpenSSL/crypto/o_dir.c | 0 Cryptlib/OpenSSL/crypto/o_init.c | 0 Cryptlib/OpenSSL/crypto/o_str.c | 0 Cryptlib/OpenSSL/crypto/o_time.c | 0 Cryptlib/OpenSSL/crypto/objects/o_names.c | 0 Cryptlib/OpenSSL/crypto/objects/obj_dat.c | 16 +- Cryptlib/OpenSSL/crypto/objects/obj_err.c | 0 Cryptlib/OpenSSL/crypto/objects/obj_lib.c | 0 Cryptlib/OpenSSL/crypto/ocsp/ocsp_asn.c | 0 Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c | 0 Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c | 0 Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c | 0 Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c | 3 + Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c | 13 +- Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c | 0 Cryptlib/OpenSSL/crypto/ocsp/ocsp_srv.c | 0 Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c | 0 Cryptlib/OpenSSL/crypto/pem/pem_all.c | 0 Cryptlib/OpenSSL/crypto/pem/pem_err.c | 0 Cryptlib/OpenSSL/crypto/pem/pem_info.c | 0 Cryptlib/OpenSSL/crypto/pem/pem_lib.c | 0 Cryptlib/OpenSSL/crypto/pem/pem_oth.c | 0 Cryptlib/OpenSSL/crypto/pem/pem_pk8.c | 0 Cryptlib/OpenSSL/crypto/pem/pem_pkey.c | 0 Cryptlib/OpenSSL/crypto/pem/pem_seal.c | 0 Cryptlib/OpenSSL/crypto/pem/pem_sign.c | 0 Cryptlib/OpenSSL/crypto/pem/pem_x509.c | 0 Cryptlib/OpenSSL/crypto/pem/pem_xaux.c | 0 Cryptlib/OpenSSL/crypto/pkcs12/p12_add.c | 0 Cryptlib/OpenSSL/crypto/pkcs12/p12_asn.c | 0 Cryptlib/OpenSSL/crypto/pkcs12/p12_attr.c | 0 Cryptlib/OpenSSL/crypto/pkcs12/p12_crpt.c | 0 Cryptlib/OpenSSL/crypto/pkcs12/p12_crt.c | 0 Cryptlib/OpenSSL/crypto/pkcs12/p12_decr.c | 0 Cryptlib/OpenSSL/crypto/pkcs12/p12_init.c | 0 Cryptlib/OpenSSL/crypto/pkcs12/p12_key.c | 0 Cryptlib/OpenSSL/crypto/pkcs12/p12_kiss.c | 0 Cryptlib/OpenSSL/crypto/pkcs12/p12_mutl.c | 0 Cryptlib/OpenSSL/crypto/pkcs12/p12_npas.c | 0 Cryptlib/OpenSSL/crypto/pkcs12/p12_p8d.c | 0 Cryptlib/OpenSSL/crypto/pkcs12/p12_p8e.c | 0 Cryptlib/OpenSSL/crypto/pkcs12/p12_utl.c | 0 Cryptlib/OpenSSL/crypto/pkcs12/pk12err.c | 0 Cryptlib/OpenSSL/crypto/pkcs7/pk7_asn1.c | 0 Cryptlib/OpenSSL/crypto/pkcs7/pk7_attr.c | 0 Cryptlib/OpenSSL/crypto/pkcs7/pk7_doit.c | 0 Cryptlib/OpenSSL/crypto/pkcs7/pk7_lib.c | 0 Cryptlib/OpenSSL/crypto/pkcs7/pk7_mime.c | 0 Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c | 0 Cryptlib/OpenSSL/crypto/pkcs7/pkcs7err.c | 0 Cryptlib/OpenSSL/crypto/pqueue/pqueue.c | 0 Cryptlib/OpenSSL/crypto/rand/md_rand.c | 0 Cryptlib/OpenSSL/crypto/rand/rand_egd.c | 0 Cryptlib/OpenSSL/crypto/rand/rand_eng.c | 0 Cryptlib/OpenSSL/crypto/rand/rand_err.c | 0 Cryptlib/OpenSSL/crypto/rand/rand_lib.c | 0 Cryptlib/OpenSSL/crypto/rand/rand_nw.c | 0 Cryptlib/OpenSSL/crypto/rand/rand_os2.c | 0 Cryptlib/OpenSSL/crypto/rand/rand_unix.c | 0 Cryptlib/OpenSSL/crypto/rand/rand_win.c | 0 Cryptlib/OpenSSL/crypto/rand/randfile.c | 0 Cryptlib/OpenSSL/crypto/rc2/rc2_cbc.c | 0 Cryptlib/OpenSSL/crypto/rc2/rc2_ecb.c | 0 Cryptlib/OpenSSL/crypto/rc2/rc2_skey.c | 0 Cryptlib/OpenSSL/crypto/rc2/rc2cfb64.c | 0 Cryptlib/OpenSSL/crypto/rc2/rc2ofb64.c | 0 Cryptlib/OpenSSL/crypto/rc4/rc4_enc.c | 0 Cryptlib/OpenSSL/crypto/rc4/rc4_fblk.c | 0 Cryptlib/OpenSSL/crypto/rc4/rc4_skey.c | 0 Cryptlib/OpenSSL/crypto/ripemd/rmd_dgst.c | 0 Cryptlib/OpenSSL/crypto/ripemd/rmd_one.c | 0 Cryptlib/OpenSSL/crypto/rsa/rsa_asn1.c | 0 Cryptlib/OpenSSL/crypto/rsa/rsa_chk.c | 0 Cryptlib/OpenSSL/crypto/rsa/rsa_depr.c | 0 Cryptlib/OpenSSL/crypto/rsa/rsa_eay.c | 2 +- Cryptlib/OpenSSL/crypto/rsa/rsa_eng.c | 0 Cryptlib/OpenSSL/crypto/rsa/rsa_err.c | 0 Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c | 0 Cryptlib/OpenSSL/crypto/rsa/rsa_lib.c | 0 Cryptlib/OpenSSL/crypto/rsa/rsa_none.c | 0 Cryptlib/OpenSSL/crypto/rsa/rsa_null.c | 0 Cryptlib/OpenSSL/crypto/rsa/rsa_oaep.c | 0 Cryptlib/OpenSSL/crypto/rsa/rsa_pk1.c | 0 Cryptlib/OpenSSL/crypto/rsa/rsa_pss.c | 0 Cryptlib/OpenSSL/crypto/rsa/rsa_saos.c | 0 Cryptlib/OpenSSL/crypto/rsa/rsa_sign.c | 0 Cryptlib/OpenSSL/crypto/rsa/rsa_ssl.c | 0 Cryptlib/OpenSSL/crypto/rsa/rsa_x931.c | 0 Cryptlib/OpenSSL/crypto/rsa/rsa_x931g.c | 0 Cryptlib/OpenSSL/crypto/sha/sha1_one.c | 0 Cryptlib/OpenSSL/crypto/sha/sha1dgst.c | 0 Cryptlib/OpenSSL/crypto/sha/sha256.c | 0 Cryptlib/OpenSSL/crypto/sha/sha512.c | 0 Cryptlib/OpenSSL/crypto/sha/sha_dgst.c | 0 Cryptlib/OpenSSL/crypto/sha/sha_one.c | 0 Cryptlib/OpenSSL/crypto/stack/stack.c | 0 Cryptlib/OpenSSL/crypto/store/str_err.c | 0 Cryptlib/OpenSSL/crypto/store/str_lib.c | 0 Cryptlib/OpenSSL/crypto/store/str_mem.c | 0 Cryptlib/OpenSSL/crypto/store/str_meth.c | 0 Cryptlib/OpenSSL/crypto/txt_db/txt_db.c | 0 Cryptlib/OpenSSL/crypto/ui/ui_compat.c | 0 Cryptlib/OpenSSL/crypto/ui/ui_err.c | 0 Cryptlib/OpenSSL/crypto/ui/ui_lib.c | 2 +- Cryptlib/OpenSSL/crypto/ui/ui_util.c | 0 Cryptlib/OpenSSL/crypto/uid.c | 0 Cryptlib/OpenSSL/crypto/x509/by_dir.c | 0 Cryptlib/OpenSSL/crypto/x509/by_file.c | 0 Cryptlib/OpenSSL/crypto/x509/x509_att.c | 0 Cryptlib/OpenSSL/crypto/x509/x509_cmp.c | 0 Cryptlib/OpenSSL/crypto/x509/x509_d2.c | 0 Cryptlib/OpenSSL/crypto/x509/x509_def.c | 0 Cryptlib/OpenSSL/crypto/x509/x509_err.c | 0 Cryptlib/OpenSSL/crypto/x509/x509_ext.c | 0 Cryptlib/OpenSSL/crypto/x509/x509_lu.c | 0 Cryptlib/OpenSSL/crypto/x509/x509_obj.c | 0 Cryptlib/OpenSSL/crypto/x509/x509_r2x.c | 0 Cryptlib/OpenSSL/crypto/x509/x509_req.c | 0 Cryptlib/OpenSSL/crypto/x509/x509_set.c | 0 Cryptlib/OpenSSL/crypto/x509/x509_trs.c | 0 Cryptlib/OpenSSL/crypto/x509/x509_txt.c | 0 Cryptlib/OpenSSL/crypto/x509/x509_v3.c | 0 Cryptlib/OpenSSL/crypto/x509/x509_vfy.c | 0 Cryptlib/OpenSSL/crypto/x509/x509_vpm.c | 0 Cryptlib/OpenSSL/crypto/x509/x509cset.c | 0 Cryptlib/OpenSSL/crypto/x509/x509name.c | 0 Cryptlib/OpenSSL/crypto/x509/x509rset.c | 0 Cryptlib/OpenSSL/crypto/x509/x509spki.c | 0 Cryptlib/OpenSSL/crypto/x509/x509type.c | 0 Cryptlib/OpenSSL/crypto/x509/x_all.c | 0 Cryptlib/OpenSSL/crypto/x509v3/pcy_cache.c | 0 Cryptlib/OpenSSL/crypto/x509v3/pcy_data.c | 0 Cryptlib/OpenSSL/crypto/x509v3/pcy_lib.c | 0 Cryptlib/OpenSSL/crypto/x509v3/pcy_map.c | 0 Cryptlib/OpenSSL/crypto/x509v3/pcy_node.c | 0 Cryptlib/OpenSSL/crypto/x509v3/pcy_tree.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_addr.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_akey.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_akeya.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_alt.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_asid.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_bcons.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_bitst.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_conf.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_cpols.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_crld.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_enum.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_extku.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_genn.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_ia5.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_info.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_int.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_lib.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_ncons.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_ocsp.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_pcia.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_pcons.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_pku.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_pmaps.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_prn.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_purp.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_skey.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_sxnet.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3_utl.c | 0 Cryptlib/OpenSSL/crypto/x509v3/v3err.c | 0 Cryptlib/OpenSSL/e_os.h | 0 Cryptlib/OpenSSL/update.sh | 999 +++++++++--------- Cryptlib/Pk/CryptAuthenticode.c | 4 +- 500 files changed, 729 insertions(+), 687 deletions(-) mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/aes/aes_cbc.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/aes/aes_cfb.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/aes/aes_core.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/aes/aes_ctr.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/aes/aes_ecb.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/aes/aes_ige.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/aes/aes_misc.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/aes/aes_ofb.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/aes/aes_wrap.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/a_bitstr.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/a_bool.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/a_bytes.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/a_d2i_fp.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/a_digest.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/a_dup.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/a_enum.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/a_gentm.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/a_hdr.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/a_i2d_fp.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/a_int.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/a_mbstr.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/a_meth.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/a_object.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/a_octet.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/a_print.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/a_set.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/a_sign.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/a_strex.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/a_strnid.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/a_time.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/a_type.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/a_utctm.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/a_utf8.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/a_verify.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/asn1_err.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/asn1_gen.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/asn1_lib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/asn1_par.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/asn_mime.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/asn_moid.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/asn_pack.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/d2i_pr.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/d2i_pu.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/evp_asn1.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/f_enum.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/f_int.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/f_string.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/i2d_pr.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/i2d_pu.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/n_pkey.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/nsseq.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/p5_pbe.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/p5_pbev2.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/p8_pkey.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/t_bitst.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/t_crl.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/t_pkey.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/t_req.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/t_spki.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/t_x509.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/t_x509a.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/tasn_dec.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/tasn_enc.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/tasn_fre.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/tasn_new.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/tasn_typ.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/tasn_utl.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/x_algor.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/x_attrib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/x_bignum.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/x_crl.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/x_exten.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/x_info.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/x_long.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/x_name.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/x_pkey.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/x_pubkey.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/x_req.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/x_sig.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/x_spki.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/x_val.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/x_x509.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/asn1/x_x509a.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bf/bf_cfb64.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bf/bf_ecb.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bf/bf_enc.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bf/bf_ofb64.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bf/bf_skey.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bio/b_dump.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bio/bf_buff.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bio/bf_nbio.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bio/bf_null.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bio/bio_cb.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bio/bio_err.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bio/bio_lib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bio/bss_bio.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bio/bss_dgram.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bio/bss_fd.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bio/bss_file.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bio/bss_log.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bio/bss_mem.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bio/bss_null.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_add.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_asm.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_blind.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_const.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_ctx.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_depr.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_div.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_err.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_exp.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_exp2.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_gcd.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_gf2m.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_kron.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_lib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_mod.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_mont.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_mpi.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_mul.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_nist.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_opt.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_prime.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_print.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_rand.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_recp.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_shift.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_sqr.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_sqrt.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_word.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/bn/bn_x931p.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/buffer/buf_err.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/buffer/buf_str.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/buffer/buffer.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/cast/c_cfb64.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/cast/c_ecb.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/cast/c_enc.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/cast/c_ofb64.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/cast/c_skey.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/comp/c_rle.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/comp/c_zlib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/comp/comp_err.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/comp/comp_lib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/conf/conf_api.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/conf/conf_def.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/conf/conf_err.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/conf/conf_lib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/conf/conf_mall.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/conf/conf_mod.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/conf/conf_sap.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/cpt_err.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/cryptlib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/cversion.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/des/cbc_cksm.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/des/cbc_enc.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/des/cfb64ede.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/des/cfb64enc.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/des/cfb_enc.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/des/des_enc.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/des/des_lib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/des/des_old.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/des/des_old2.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/des/ecb3_enc.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/des/ecb_enc.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/des/ede_cbcm_enc.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/des/enc_read.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/des/enc_writ.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/des/fcrypt.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/des/fcrypt_b.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/des/ofb64ede.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/des/ofb64enc.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/des/ofb_enc.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/des/pcbc_enc.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/des/qud_cksm.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/des/rand_key.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/des/read2pwd.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/des/rpc_enc.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/des/set_key.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/des/str2key.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/des/xcbc_enc.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/dh/dh_asn1.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/dh/dh_check.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/dh/dh_depr.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/dh/dh_err.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/dh/dh_gen.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/dh/dh_key.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/dh/dh_lib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/dsa/dsa_asn1.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/dsa/dsa_depr.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/dsa/dsa_err.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/dsa/dsa_gen.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/dsa/dsa_key.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/dsa/dsa_lib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/dsa/dsa_ossl.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/dsa/dsa_sign.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/dsa/dsa_utl.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/dsa/dsa_vrf.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/dso/dso_dl.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/dso/dso_dlfcn.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/dso/dso_err.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/dso/dso_lib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/dso/dso_null.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/dso/dso_openssl.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/dso/dso_vms.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/dso/dso_win32.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/dyn_lck.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ebcdic.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ec/ec2_mult.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ec/ec2_smpl.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ec/ec_asn1.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ec/ec_check.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ec/ec_curve.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ec/ec_cvt.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ec/ec_err.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ec/ec_key.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ec/ec_lib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ec/ec_mult.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ec/ec_print.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ec/ecp_mont.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ec/ecp_nist.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ec/ecp_smpl.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ecdh/ech_err.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ecdh/ech_key.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ecdh/ech_lib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ecdh/ech_ossl.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ecdsa/ecs_asn1.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ecdsa/ecs_err.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ecdsa/ecs_lib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ecdsa/ecs_ossl.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ecdsa/ecs_sign.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ecdsa/ecs_vrf.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/engine/eng_all.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/engine/eng_cnf.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/engine/eng_cryptodev.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/engine/eng_ctrl.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/engine/eng_dyn.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/engine/eng_err.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/engine/eng_fat.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/engine/eng_init.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/engine/eng_lib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/engine/eng_list.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/engine/eng_openssl.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/engine/eng_padlock.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/engine/eng_pkey.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/engine/eng_table.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/engine/tb_cipher.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/engine/tb_dh.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/engine/tb_digest.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/engine/tb_dsa.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/engine/tb_ecdh.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/engine/tb_ecdsa.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/engine/tb_rand.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/engine/tb_rsa.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/engine/tb_store.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/err/err.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/err/err_all.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/err/err_bio.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/err/err_def.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/err/err_prn.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/err/err_str.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/bio_b64.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/bio_enc.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/bio_md.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/bio_ok.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/c_all.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/c_allc.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/c_alld.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/dig_eng.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/digest.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/e_aes.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/e_bf.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/e_cast.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/e_des.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/e_des3.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/e_idea.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/e_null.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/e_old.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/e_rc2.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/e_rc4.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/e_rc5.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/e_xcbc_d.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/enc_min.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/encode.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/evp_acnf.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/evp_cnf.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/evp_enc.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/evp_err.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/evp_key.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/evp_lib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/evp_pbe.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/evp_pkey.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/m_dss.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/m_dss1.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/m_ecdsa.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/m_md2.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/m_md4.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/m_md5.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/m_null.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/m_ripemd.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/m_sha.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/m_sha1.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/names.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/p5_crpt.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/p5_crpt2.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/p_dec.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/p_enc.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/p_lib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/p_open.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/p_seal.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/p_sign.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/evp/p_verify.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ex_data.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/fips_err.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/hmac/hmac.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/idea/i_cbc.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/idea/i_cfb64.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/idea/i_ecb.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/idea/i_ofb64.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/idea/i_skey.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/krb5/krb5_asn.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/lhash/lh_stats.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/lhash/lhash.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/md2/md2_dgst.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/md2/md2_one.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/md4/md4_dgst.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/md4/md4_one.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/md5/md5_dgst.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/md5/md5_one.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/mem.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/mem_clr.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/mem_dbg.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/o_dir.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/o_init.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/o_str.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/o_time.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/objects/o_names.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/objects/obj_dat.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/objects/obj_err.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/objects/obj_lib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ocsp/ocsp_asn.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ocsp/ocsp_srv.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pem/pem_all.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pem/pem_err.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pem/pem_info.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pem/pem_lib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pem/pem_oth.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pem/pem_pk8.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pem/pem_pkey.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pem/pem_seal.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pem/pem_sign.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pem/pem_x509.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pem/pem_xaux.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pkcs12/p12_add.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pkcs12/p12_asn.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pkcs12/p12_attr.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pkcs12/p12_crpt.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pkcs12/p12_crt.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pkcs12/p12_decr.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pkcs12/p12_init.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pkcs12/p12_key.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pkcs12/p12_kiss.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pkcs12/p12_mutl.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pkcs12/p12_npas.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pkcs12/p12_p8d.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pkcs12/p12_p8e.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pkcs12/p12_utl.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pkcs12/pk12err.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pkcs7/pk7_asn1.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pkcs7/pk7_attr.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pkcs7/pk7_doit.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pkcs7/pk7_lib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pkcs7/pk7_mime.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pkcs7/pkcs7err.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/pqueue/pqueue.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rand/md_rand.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rand/rand_egd.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rand/rand_eng.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rand/rand_err.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rand/rand_lib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rand/rand_nw.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rand/rand_os2.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rand/rand_unix.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rand/rand_win.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rand/randfile.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rc2/rc2_cbc.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rc2/rc2_ecb.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rc2/rc2_skey.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rc2/rc2cfb64.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rc2/rc2ofb64.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rc4/rc4_enc.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rc4/rc4_fblk.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rc4/rc4_skey.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ripemd/rmd_dgst.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ripemd/rmd_one.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rsa/rsa_asn1.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rsa/rsa_chk.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rsa/rsa_depr.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rsa/rsa_eay.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rsa/rsa_eng.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rsa/rsa_err.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rsa/rsa_lib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rsa/rsa_none.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rsa/rsa_null.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rsa/rsa_oaep.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rsa/rsa_pk1.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rsa/rsa_pss.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rsa/rsa_saos.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rsa/rsa_sign.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rsa/rsa_ssl.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rsa/rsa_x931.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/rsa/rsa_x931g.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/sha/sha1_one.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/sha/sha1dgst.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/sha/sha256.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/sha/sha512.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/sha/sha_dgst.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/sha/sha_one.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/stack/stack.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/store/str_err.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/store/str_lib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/store/str_mem.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/store/str_meth.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/txt_db/txt_db.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ui/ui_compat.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ui/ui_err.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ui/ui_lib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/ui/ui_util.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/uid.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509/by_dir.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509/by_file.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509/x509_att.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509/x509_cmp.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509/x509_d2.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509/x509_def.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509/x509_err.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509/x509_ext.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509/x509_lu.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509/x509_obj.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509/x509_r2x.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509/x509_req.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509/x509_set.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509/x509_trs.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509/x509_txt.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509/x509_v3.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509/x509_vfy.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509/x509_vpm.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509/x509cset.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509/x509name.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509/x509rset.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509/x509spki.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509/x509type.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509/x_all.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/pcy_cache.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/pcy_data.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/pcy_lib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/pcy_map.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/pcy_node.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/pcy_tree.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_addr.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_akey.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_akeya.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_alt.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_asid.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_bcons.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_bitst.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_conf.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_cpols.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_crld.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_enum.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_extku.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_genn.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_ia5.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_info.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_int.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_lib.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_ncons.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_ocsp.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_pcia.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_pcons.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_pku.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_pmaps.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_prn.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_purp.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_skey.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_sxnet.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3_utl.c mode change 100755 => 100644 Cryptlib/OpenSSL/crypto/x509v3/v3err.c mode change 100755 => 100644 Cryptlib/OpenSSL/e_os.h diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_cbc.c b/Cryptlib/OpenSSL/crypto/aes/aes_cbc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_cfb.c b/Cryptlib/OpenSSL/crypto/aes/aes_cfb.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_core.c b/Cryptlib/OpenSSL/crypto/aes/aes_core.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_ctr.c b/Cryptlib/OpenSSL/crypto/aes/aes_ctr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_ecb.c b/Cryptlib/OpenSSL/crypto/aes/aes_ecb.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_ige.c b/Cryptlib/OpenSSL/crypto/aes/aes_ige.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_misc.c b/Cryptlib/OpenSSL/crypto/aes/aes_misc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_ofb.c b/Cryptlib/OpenSSL/crypto/aes/aes_ofb.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_wrap.c b/Cryptlib/OpenSSL/crypto/aes/aes_wrap.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_bitstr.c b/Cryptlib/OpenSSL/crypto/asn1/a_bitstr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_bool.c b/Cryptlib/OpenSSL/crypto/asn1/a_bool.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_bytes.c b/Cryptlib/OpenSSL/crypto/asn1/a_bytes.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_d2i_fp.c b/Cryptlib/OpenSSL/crypto/asn1/a_d2i_fp.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_digest.c b/Cryptlib/OpenSSL/crypto/asn1/a_digest.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_dup.c b/Cryptlib/OpenSSL/crypto/asn1/a_dup.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_enum.c b/Cryptlib/OpenSSL/crypto/asn1/a_enum.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_gentm.c b/Cryptlib/OpenSSL/crypto/asn1/a_gentm.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_hdr.c b/Cryptlib/OpenSSL/crypto/asn1/a_hdr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_i2d_fp.c b/Cryptlib/OpenSSL/crypto/asn1/a_i2d_fp.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_int.c b/Cryptlib/OpenSSL/crypto/asn1/a_int.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_mbstr.c b/Cryptlib/OpenSSL/crypto/asn1/a_mbstr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_meth.c b/Cryptlib/OpenSSL/crypto/asn1/a_meth.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_object.c b/Cryptlib/OpenSSL/crypto/asn1/a_object.c old mode 100755 new mode 100644 index 3ac2bc2..e50501a --- a/Cryptlib/OpenSSL/crypto/asn1/a_object.c +++ b/Cryptlib/OpenSSL/crypto/asn1/a_object.c @@ -285,16 +285,28 @@ err: ASN1_OBJECT_free(ret); return(NULL); } + ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, long len) { ASN1_OBJECT *ret=NULL; const unsigned char *p; - int i; - /* Sanity check OID encoding: can't have leading 0x80 in - * subidentifiers, see: X.690 8.19.2 + int i, length; + + /* Sanity check OID encoding. + * Need at least one content octet. + * MSB must be clear in the last octet. + * can't have leading 0x80 in subidentifiers, see: X.690 8.19.2 */ - for (i = 0, p = *pp; i < len; i++, p++) + if (len <= 0 || len > INT_MAX || pp == NULL || (p = *pp) == NULL || + p[len - 1] & 0x80) + { + ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_INVALID_OBJECT_ENCODING); + return NULL; + } + /* Now 0 < len <= INT_MAX, so the cast is safe. */ + length = (int)len; + for (i = 0; i < length; i++, p++) { if (*p == 0x80 && (!i || !(p[-1] & 0x80))) { @@ -313,20 +325,20 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, else ret=(*a); p= *pp; - if ((ret->data == NULL) || (ret->length < len)) + if ((ret->data == NULL) || (ret->length < length)) { if (ret->data != NULL) OPENSSL_free(ret->data); - ret->data=(unsigned char *)OPENSSL_malloc(len ? (int)len : 1); + ret->data=(unsigned char *)OPENSSL_malloc(length); ret->flags|=ASN1_OBJECT_FLAG_DYNAMIC_DATA; if (ret->data == NULL) { i=ERR_R_MALLOC_FAILURE; goto err; } } - memcpy(ret->data,p,(int)len); - ret->length=(int)len; + memcpy(ret->data,p,length); + ret->length=length; ret->sn=NULL; ret->ln=NULL; /* ret->flags=ASN1_OBJECT_FLAG_DYNAMIC; we know it is dynamic */ - p+=len; + p+=length; if (a != NULL) (*a)=ret; *pp=p; diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_octet.c b/Cryptlib/OpenSSL/crypto/asn1/a_octet.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_print.c b/Cryptlib/OpenSSL/crypto/asn1/a_print.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_set.c b/Cryptlib/OpenSSL/crypto/asn1/a_set.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_sign.c b/Cryptlib/OpenSSL/crypto/asn1/a_sign.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_strex.c b/Cryptlib/OpenSSL/crypto/asn1/a_strex.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_strnid.c b/Cryptlib/OpenSSL/crypto/asn1/a_strnid.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_time.c b/Cryptlib/OpenSSL/crypto/asn1/a_time.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_type.c b/Cryptlib/OpenSSL/crypto/asn1/a_type.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_utctm.c b/Cryptlib/OpenSSL/crypto/asn1/a_utctm.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_utf8.c b/Cryptlib/OpenSSL/crypto/asn1/a_utf8.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_verify.c b/Cryptlib/OpenSSL/crypto/asn1/a_verify.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/asn1_err.c b/Cryptlib/OpenSSL/crypto/asn1/asn1_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/asn1_gen.c b/Cryptlib/OpenSSL/crypto/asn1/asn1_gen.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/asn1_lib.c b/Cryptlib/OpenSSL/crypto/asn1/asn1_lib.c old mode 100755 new mode 100644 index 5af559e..d345155 --- a/Cryptlib/OpenSSL/crypto/asn1/asn1_lib.c +++ b/Cryptlib/OpenSSL/crypto/asn1/asn1_lib.c @@ -131,6 +131,9 @@ int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag, *pclass=xclass; if (!asn1_get_length(&p,&inf,plength,(int)max)) goto err; + if (inf && !(ret & V_ASN1_CONSTRUCTED)) + goto err; + #if 0 fprintf(stderr,"p=%d + *plength=%ld > omax=%ld + *pp=%d (%d > %d)\n", (int)p,*plength,omax,(int)*pp,(int)(p+ *plength), diff --git a/Cryptlib/OpenSSL/crypto/asn1/asn1_par.c b/Cryptlib/OpenSSL/crypto/asn1/asn1_par.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/asn_mime.c b/Cryptlib/OpenSSL/crypto/asn1/asn_mime.c old mode 100755 new mode 100644 index ad8fbed..095887f --- a/Cryptlib/OpenSSL/crypto/asn1/asn_mime.c +++ b/Cryptlib/OpenSSL/crypto/asn1/asn_mime.c @@ -595,6 +595,8 @@ static STACK_OF(MIME_HEADER) *mime_parse_hdr(BIO *bio) int len, state, save_state = 0; headers = sk_MIME_HEADER_new(mime_hdr_cmp); + if (!headers) + return NULL; while ((len = BIO_gets(bio, linebuf, MAX_SMLEN)) > 0) { /* If whitespace at line start then continuation line */ if(mhdr && isspace((unsigned char)linebuf[0])) state = MIME_NAME; diff --git a/Cryptlib/OpenSSL/crypto/asn1/asn_moid.c b/Cryptlib/OpenSSL/crypto/asn1/asn_moid.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/asn_pack.c b/Cryptlib/OpenSSL/crypto/asn1/asn_pack.c old mode 100755 new mode 100644 index f1a5a05..c373714 --- a/Cryptlib/OpenSSL/crypto/asn1/asn_pack.c +++ b/Cryptlib/OpenSSL/crypto/asn1/asn_pack.c @@ -134,15 +134,23 @@ ASN1_STRING *ASN1_pack_string(void *obj, i2d_of_void *i2d, ASN1_STRING **oct) if (!(octmp->length = i2d(obj, NULL))) { ASN1err(ASN1_F_ASN1_PACK_STRING,ASN1_R_ENCODE_ERROR); - return NULL; + goto err; } if (!(p = OPENSSL_malloc (octmp->length))) { ASN1err(ASN1_F_ASN1_PACK_STRING,ERR_R_MALLOC_FAILURE); - return NULL; + goto err; } octmp->data = p; i2d (obj, &p); return octmp; + err: + if (!oct || !*oct) + { + ASN1_STRING_free(octmp); + if (oct) + *oct = NULL; + } + return NULL; } #endif diff --git a/Cryptlib/OpenSSL/crypto/asn1/d2i_pr.c b/Cryptlib/OpenSSL/crypto/asn1/d2i_pr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/d2i_pu.c b/Cryptlib/OpenSSL/crypto/asn1/d2i_pu.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/evp_asn1.c b/Cryptlib/OpenSSL/crypto/asn1/evp_asn1.c old mode 100755 new mode 100644 index f3d9804..1b94459 --- a/Cryptlib/OpenSSL/crypto/asn1/evp_asn1.c +++ b/Cryptlib/OpenSSL/crypto/asn1/evp_asn1.c @@ -66,7 +66,11 @@ int ASN1_TYPE_set_octetstring(ASN1_TYPE *a, unsigned char *data, int len) ASN1_STRING *os; if ((os=M_ASN1_OCTET_STRING_new()) == NULL) return(0); - if (!M_ASN1_OCTET_STRING_set(os,data,len)) return(0); + if (!M_ASN1_OCTET_STRING_set(os,data,len)) + { + M_ASN1_OCTET_STRING_free(os); + return 0; + } ASN1_TYPE_set(a,V_ASN1_OCTET_STRING,os); return(1); } diff --git a/Cryptlib/OpenSSL/crypto/asn1/f_enum.c b/Cryptlib/OpenSSL/crypto/asn1/f_enum.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/f_int.c b/Cryptlib/OpenSSL/crypto/asn1/f_int.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/f_string.c b/Cryptlib/OpenSSL/crypto/asn1/f_string.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/i2d_pr.c b/Cryptlib/OpenSSL/crypto/asn1/i2d_pr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/i2d_pu.c b/Cryptlib/OpenSSL/crypto/asn1/i2d_pu.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/n_pkey.c b/Cryptlib/OpenSSL/crypto/asn1/n_pkey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/nsseq.c b/Cryptlib/OpenSSL/crypto/asn1/nsseq.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/p5_pbe.c b/Cryptlib/OpenSSL/crypto/asn1/p5_pbe.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/p5_pbev2.c b/Cryptlib/OpenSSL/crypto/asn1/p5_pbev2.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/p8_pkey.c b/Cryptlib/OpenSSL/crypto/asn1/p8_pkey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/t_bitst.c b/Cryptlib/OpenSSL/crypto/asn1/t_bitst.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/t_crl.c b/Cryptlib/OpenSSL/crypto/asn1/t_crl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/t_pkey.c b/Cryptlib/OpenSSL/crypto/asn1/t_pkey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/t_req.c b/Cryptlib/OpenSSL/crypto/asn1/t_req.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/t_spki.c b/Cryptlib/OpenSSL/crypto/asn1/t_spki.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/t_x509.c b/Cryptlib/OpenSSL/crypto/asn1/t_x509.c old mode 100755 new mode 100644 index 6f295b4..f9dad0e --- a/Cryptlib/OpenSSL/crypto/asn1/t_x509.c +++ b/Cryptlib/OpenSSL/crypto/asn1/t_x509.c @@ -465,6 +465,8 @@ int X509_NAME_print(BIO *bp, X509_NAME *name, int obase) l=80-2-obase; b=X509_NAME_oneline(name,NULL,0); + if (!b) + return 0; if (!*b) { OPENSSL_free(b); diff --git a/Cryptlib/OpenSSL/crypto/asn1/t_x509a.c b/Cryptlib/OpenSSL/crypto/asn1/t_x509a.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/tasn_dec.c b/Cryptlib/OpenSSL/crypto/asn1/tasn_dec.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/tasn_enc.c b/Cryptlib/OpenSSL/crypto/asn1/tasn_enc.c old mode 100755 new mode 100644 index 2721f90..b3687f9 --- a/Cryptlib/OpenSSL/crypto/asn1/tasn_enc.c +++ b/Cryptlib/OpenSSL/crypto/asn1/tasn_enc.c @@ -453,9 +453,14 @@ static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out, { derlst = OPENSSL_malloc(sk_ASN1_VALUE_num(sk) * sizeof(*derlst)); - tmpdat = OPENSSL_malloc(skcontlen); - if (!derlst || !tmpdat) + if (!derlst) return 0; + tmpdat = OPENSSL_malloc(skcontlen); + if (!tmpdat) + { + OPENSSL_free(derlst); + return 0; + } } } /* If not sorting just output each item */ diff --git a/Cryptlib/OpenSSL/crypto/asn1/tasn_fre.c b/Cryptlib/OpenSSL/crypto/asn1/tasn_fre.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/tasn_new.c b/Cryptlib/OpenSSL/crypto/asn1/tasn_new.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/tasn_typ.c b/Cryptlib/OpenSSL/crypto/asn1/tasn_typ.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/tasn_utl.c b/Cryptlib/OpenSSL/crypto/asn1/tasn_utl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_algor.c b/Cryptlib/OpenSSL/crypto/asn1/x_algor.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_attrib.c b/Cryptlib/OpenSSL/crypto/asn1/x_attrib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_bignum.c b/Cryptlib/OpenSSL/crypto/asn1/x_bignum.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_crl.c b/Cryptlib/OpenSSL/crypto/asn1/x_crl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_exten.c b/Cryptlib/OpenSSL/crypto/asn1/x_exten.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_info.c b/Cryptlib/OpenSSL/crypto/asn1/x_info.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_long.c b/Cryptlib/OpenSSL/crypto/asn1/x_long.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_name.c b/Cryptlib/OpenSSL/crypto/asn1/x_name.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_pkey.c b/Cryptlib/OpenSSL/crypto/asn1/x_pkey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_pubkey.c b/Cryptlib/OpenSSL/crypto/asn1/x_pubkey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_req.c b/Cryptlib/OpenSSL/crypto/asn1/x_req.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_sig.c b/Cryptlib/OpenSSL/crypto/asn1/x_sig.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_spki.c b/Cryptlib/OpenSSL/crypto/asn1/x_spki.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_val.c b/Cryptlib/OpenSSL/crypto/asn1/x_val.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_x509.c b/Cryptlib/OpenSSL/crypto/asn1/x_x509.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_x509a.c b/Cryptlib/OpenSSL/crypto/asn1/x_x509a.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bf/bf_cfb64.c b/Cryptlib/OpenSSL/crypto/bf/bf_cfb64.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bf/bf_ecb.c b/Cryptlib/OpenSSL/crypto/bf/bf_ecb.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bf/bf_enc.c b/Cryptlib/OpenSSL/crypto/bf/bf_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bf/bf_ofb64.c b/Cryptlib/OpenSSL/crypto/bf/bf_ofb64.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bf/bf_skey.c b/Cryptlib/OpenSSL/crypto/bf/bf_skey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bio/b_dump.c b/Cryptlib/OpenSSL/crypto/bio/b_dump.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bio/bf_buff.c b/Cryptlib/OpenSSL/crypto/bio/bf_buff.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bio/bf_nbio.c b/Cryptlib/OpenSSL/crypto/bio/bf_nbio.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bio/bf_null.c b/Cryptlib/OpenSSL/crypto/bio/bf_null.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bio/bio_cb.c b/Cryptlib/OpenSSL/crypto/bio/bio_cb.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bio/bio_err.c b/Cryptlib/OpenSSL/crypto/bio/bio_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bio/bio_lib.c b/Cryptlib/OpenSSL/crypto/bio/bio_lib.c old mode 100755 new mode 100644 index 371cdf5..6346c19 --- a/Cryptlib/OpenSSL/crypto/bio/bio_lib.c +++ b/Cryptlib/OpenSSL/crypto/bio/bio_lib.c @@ -132,8 +132,8 @@ int BIO_free(BIO *a) CRYPTO_free_ex_data(CRYPTO_EX_INDEX_BIO, a, &a->ex_data); - if ((a->method == NULL) || (a->method->destroy == NULL)) return(1); - a->method->destroy(a); + if ((a->method != NULL) && (a->method->destroy != NULL)) + a->method->destroy(a); OPENSSL_free(a); return(1); } diff --git a/Cryptlib/OpenSSL/crypto/bio/bss_bio.c b/Cryptlib/OpenSSL/crypto/bio/bss_bio.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bio/bss_dgram.c b/Cryptlib/OpenSSL/crypto/bio/bss_dgram.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bio/bss_fd.c b/Cryptlib/OpenSSL/crypto/bio/bss_fd.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bio/bss_file.c b/Cryptlib/OpenSSL/crypto/bio/bss_file.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bio/bss_log.c b/Cryptlib/OpenSSL/crypto/bio/bss_log.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bio/bss_mem.c b/Cryptlib/OpenSSL/crypto/bio/bss_mem.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bio/bss_null.c b/Cryptlib/OpenSSL/crypto/bio/bss_null.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_add.c b/Cryptlib/OpenSSL/crypto/bn/bn_add.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_asm.c b/Cryptlib/OpenSSL/crypto/bn/bn_asm.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_blind.c b/Cryptlib/OpenSSL/crypto/bn/bn_blind.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_const.c b/Cryptlib/OpenSSL/crypto/bn/bn_const.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_ctx.c b/Cryptlib/OpenSSL/crypto/bn/bn_ctx.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_depr.c b/Cryptlib/OpenSSL/crypto/bn/bn_depr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_div.c b/Cryptlib/OpenSSL/crypto/bn/bn_div.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_err.c b/Cryptlib/OpenSSL/crypto/bn/bn_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_exp.c b/Cryptlib/OpenSSL/crypto/bn/bn_exp.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_exp2.c b/Cryptlib/OpenSSL/crypto/bn/bn_exp2.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_gcd.c b/Cryptlib/OpenSSL/crypto/bn/bn_gcd.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_gf2m.c b/Cryptlib/OpenSSL/crypto/bn/bn_gf2m.c old mode 100755 new mode 100644 index 5d90f1e..28f1fa8 --- a/Cryptlib/OpenSSL/crypto/bn/bn_gf2m.c +++ b/Cryptlib/OpenSSL/crypto/bn/bn_gf2m.c @@ -1095,3 +1095,54 @@ int BN_GF2m_arr2poly(const unsigned int p[], BIGNUM *a) return 1; } +/* + * Constant-time conditional swap of a and b. + * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set. + * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b, + * and that no more than nwords are used by either a or b. + * a and b cannot be the same number + */ +void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords) + { + BN_ULONG t; + int i; + + bn_wcheck_size(a, nwords); + bn_wcheck_size(b, nwords); + + assert(a != b); + assert((condition & (condition - 1)) == 0); + assert(sizeof(BN_ULONG) >= sizeof(int)); + + condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1; + + t = (a->top^b->top) & condition; + a->top ^= t; + b->top ^= t; + +#define BN_CONSTTIME_SWAP(ind) \ + do { \ + t = (a->d[ind] ^ b->d[ind]) & condition; \ + a->d[ind] ^= t; \ + b->d[ind] ^= t; \ + } while (0) + + + switch (nwords) { + default: + for (i = 10; i < nwords; i++) + BN_CONSTTIME_SWAP(i); + /* Fallthrough */ + case 10: BN_CONSTTIME_SWAP(9); /* Fallthrough */ + case 9: BN_CONSTTIME_SWAP(8); /* Fallthrough */ + case 8: BN_CONSTTIME_SWAP(7); /* Fallthrough */ + case 7: BN_CONSTTIME_SWAP(6); /* Fallthrough */ + case 6: BN_CONSTTIME_SWAP(5); /* Fallthrough */ + case 5: BN_CONSTTIME_SWAP(4); /* Fallthrough */ + case 4: BN_CONSTTIME_SWAP(3); /* Fallthrough */ + case 3: BN_CONSTTIME_SWAP(2); /* Fallthrough */ + case 2: BN_CONSTTIME_SWAP(1); /* Fallthrough */ + case 1: BN_CONSTTIME_SWAP(0); + } +#undef BN_CONSTTIME_SWAP +} diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_kron.c b/Cryptlib/OpenSSL/crypto/bn/bn_kron.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_lib.c b/Cryptlib/OpenSSL/crypto/bn/bn_lib.c old mode 100755 new mode 100644 index b66f507..c288844 --- a/Cryptlib/OpenSSL/crypto/bn/bn_lib.c +++ b/Cryptlib/OpenSSL/crypto/bn/bn_lib.c @@ -320,6 +320,15 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words) BNerr(BN_F_BN_EXPAND_INTERNAL,ERR_R_MALLOC_FAILURE); return(NULL); } +#ifdef PURIFY + /* Valgrind complains in BN_consttime_swap because we process the whole + * array even if it's not initialised yet. This doesn't matter in that + * function - what's important is constant time operation (we're not + * actually going to use the data) + */ + memset(a, 0, sizeof(BN_ULONG)*words); +#endif + #if 1 B=b->d; /* Check if the previous number needs to be copied */ @@ -824,55 +833,3 @@ int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, } return bn_cmp_words(a,b,cl); } - -/* - * Constant-time conditional swap of a and b. - * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set. - * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b, - * and that no more than nwords are used by either a or b. - * a and b cannot be the same number - */ -void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords) - { - BN_ULONG t; - int i; - - bn_wcheck_size(a, nwords); - bn_wcheck_size(b, nwords); - - assert(a != b); - assert((condition & (condition - 1)) == 0); - assert(sizeof(BN_ULONG) >= sizeof(int)); - - condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1; - - t = (a->top^b->top) & condition; - a->top ^= t; - b->top ^= t; - -#define BN_CONSTTIME_SWAP(ind) \ - do { \ - t = (a->d[ind] ^ b->d[ind]) & condition; \ - a->d[ind] ^= t; \ - b->d[ind] ^= t; \ - } while (0) - - - switch (nwords) { - default: - for (i = 10; i < nwords; i++) - BN_CONSTTIME_SWAP(i); - /* Fallthrough */ - case 10: BN_CONSTTIME_SWAP(9); /* Fallthrough */ - case 9: BN_CONSTTIME_SWAP(8); /* Fallthrough */ - case 8: BN_CONSTTIME_SWAP(7); /* Fallthrough */ - case 7: BN_CONSTTIME_SWAP(6); /* Fallthrough */ - case 6: BN_CONSTTIME_SWAP(5); /* Fallthrough */ - case 5: BN_CONSTTIME_SWAP(4); /* Fallthrough */ - case 4: BN_CONSTTIME_SWAP(3); /* Fallthrough */ - case 3: BN_CONSTTIME_SWAP(2); /* Fallthrough */ - case 2: BN_CONSTTIME_SWAP(1); /* Fallthrough */ - case 1: BN_CONSTTIME_SWAP(0); - } -#undef BN_CONSTTIME_SWAP -} diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_mod.c b/Cryptlib/OpenSSL/crypto/bn/bn_mod.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_mont.c b/Cryptlib/OpenSSL/crypto/bn/bn_mont.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_mpi.c b/Cryptlib/OpenSSL/crypto/bn/bn_mpi.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_mul.c b/Cryptlib/OpenSSL/crypto/bn/bn_mul.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_nist.c b/Cryptlib/OpenSSL/crypto/bn/bn_nist.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_opt.c b/Cryptlib/OpenSSL/crypto/bn/bn_opt.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_prime.c b/Cryptlib/OpenSSL/crypto/bn/bn_prime.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_print.c b/Cryptlib/OpenSSL/crypto/bn/bn_print.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_rand.c b/Cryptlib/OpenSSL/crypto/bn/bn_rand.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_recp.c b/Cryptlib/OpenSSL/crypto/bn/bn_recp.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_shift.c b/Cryptlib/OpenSSL/crypto/bn/bn_shift.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_sqr.c b/Cryptlib/OpenSSL/crypto/bn/bn_sqr.c old mode 100755 new mode 100644 index 270d0cd..65bbf16 --- a/Cryptlib/OpenSSL/crypto/bn/bn_sqr.c +++ b/Cryptlib/OpenSSL/crypto/bn/bn_sqr.c @@ -77,6 +77,7 @@ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) if (al <= 0) { r->top=0; + r->neg = 0; return 1; } diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_sqrt.c b/Cryptlib/OpenSSL/crypto/bn/bn_sqrt.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_word.c b/Cryptlib/OpenSSL/crypto/bn/bn_word.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_x931p.c b/Cryptlib/OpenSSL/crypto/bn/bn_x931p.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/buffer/buf_err.c b/Cryptlib/OpenSSL/crypto/buffer/buf_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/buffer/buf_str.c b/Cryptlib/OpenSSL/crypto/buffer/buf_str.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/buffer/buffer.c b/Cryptlib/OpenSSL/crypto/buffer/buffer.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/cast/c_cfb64.c b/Cryptlib/OpenSSL/crypto/cast/c_cfb64.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/cast/c_ecb.c b/Cryptlib/OpenSSL/crypto/cast/c_ecb.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/cast/c_enc.c b/Cryptlib/OpenSSL/crypto/cast/c_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/cast/c_ofb64.c b/Cryptlib/OpenSSL/crypto/cast/c_ofb64.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/cast/c_skey.c b/Cryptlib/OpenSSL/crypto/cast/c_skey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/comp/c_rle.c b/Cryptlib/OpenSSL/crypto/comp/c_rle.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/comp/c_zlib.c b/Cryptlib/OpenSSL/crypto/comp/c_zlib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/comp/comp_err.c b/Cryptlib/OpenSSL/crypto/comp/comp_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/comp/comp_lib.c b/Cryptlib/OpenSSL/crypto/comp/comp_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_api.c b/Cryptlib/OpenSSL/crypto/conf/conf_api.c old mode 100755 new mode 100644 index 17bae83..55d1d50 --- a/Cryptlib/OpenSSL/crypto/conf/conf_api.c +++ b/Cryptlib/OpenSSL/crypto/conf/conf_api.c @@ -294,7 +294,7 @@ CONF_VALUE *_CONF_new_section(CONF *conf, const char *section) v->value=(char *)sk; vv=(CONF_VALUE *)lh_insert(conf->data,v); - assert(vv == NULL); + OPENSSL_assert(vv == NULL); ok=1; err: if (!ok) diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_def.c b/Cryptlib/OpenSSL/crypto/conf/conf_def.c old mode 100755 new mode 100644 index 3c58936..a168339 --- a/Cryptlib/OpenSSL/crypto/conf/conf_def.c +++ b/Cryptlib/OpenSSL/crypto/conf/conf_def.c @@ -324,7 +324,7 @@ again: p=eat_ws(conf, end); if (*p != ']') { - if (*p != '\0') + if (*p != '\0' && ss != p) { ss=p; goto again; diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_err.c b/Cryptlib/OpenSSL/crypto/conf/conf_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_lib.c b/Cryptlib/OpenSSL/crypto/conf/conf_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_mall.c b/Cryptlib/OpenSSL/crypto/conf/conf_mall.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_mod.c b/Cryptlib/OpenSSL/crypto/conf/conf_mod.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_sap.c b/Cryptlib/OpenSSL/crypto/conf/conf_sap.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/cpt_err.c b/Cryptlib/OpenSSL/crypto/cpt_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/cryptlib.c b/Cryptlib/OpenSSL/crypto/cryptlib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/cversion.c b/Cryptlib/OpenSSL/crypto/cversion.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/cbc_cksm.c b/Cryptlib/OpenSSL/crypto/des/cbc_cksm.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/cbc_enc.c b/Cryptlib/OpenSSL/crypto/des/cbc_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/cfb64ede.c b/Cryptlib/OpenSSL/crypto/des/cfb64ede.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/cfb64enc.c b/Cryptlib/OpenSSL/crypto/des/cfb64enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/cfb_enc.c b/Cryptlib/OpenSSL/crypto/des/cfb_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/des_enc.c b/Cryptlib/OpenSSL/crypto/des/des_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/des_lib.c b/Cryptlib/OpenSSL/crypto/des/des_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/des_old.c b/Cryptlib/OpenSSL/crypto/des/des_old.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/des_old2.c b/Cryptlib/OpenSSL/crypto/des/des_old2.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/ecb3_enc.c b/Cryptlib/OpenSSL/crypto/des/ecb3_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/ecb_enc.c b/Cryptlib/OpenSSL/crypto/des/ecb_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/ede_cbcm_enc.c b/Cryptlib/OpenSSL/crypto/des/ede_cbcm_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/enc_read.c b/Cryptlib/OpenSSL/crypto/des/enc_read.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/enc_writ.c b/Cryptlib/OpenSSL/crypto/des/enc_writ.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/fcrypt.c b/Cryptlib/OpenSSL/crypto/des/fcrypt.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/fcrypt_b.c b/Cryptlib/OpenSSL/crypto/des/fcrypt_b.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/ofb64ede.c b/Cryptlib/OpenSSL/crypto/des/ofb64ede.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/ofb64enc.c b/Cryptlib/OpenSSL/crypto/des/ofb64enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/ofb_enc.c b/Cryptlib/OpenSSL/crypto/des/ofb_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/pcbc_enc.c b/Cryptlib/OpenSSL/crypto/des/pcbc_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/qud_cksm.c b/Cryptlib/OpenSSL/crypto/des/qud_cksm.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/rand_key.c b/Cryptlib/OpenSSL/crypto/des/rand_key.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/read2pwd.c b/Cryptlib/OpenSSL/crypto/des/read2pwd.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/rpc_enc.c b/Cryptlib/OpenSSL/crypto/des/rpc_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/set_key.c b/Cryptlib/OpenSSL/crypto/des/set_key.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/str2key.c b/Cryptlib/OpenSSL/crypto/des/str2key.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/des/xcbc_enc.c b/Cryptlib/OpenSSL/crypto/des/xcbc_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_asn1.c b/Cryptlib/OpenSSL/crypto/dh/dh_asn1.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_check.c b/Cryptlib/OpenSSL/crypto/dh/dh_check.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_depr.c b/Cryptlib/OpenSSL/crypto/dh/dh_depr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_err.c b/Cryptlib/OpenSSL/crypto/dh/dh_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_gen.c b/Cryptlib/OpenSSL/crypto/dh/dh_gen.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_key.c b/Cryptlib/OpenSSL/crypto/dh/dh_key.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_lib.c b/Cryptlib/OpenSSL/crypto/dh/dh_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dsa/dsa_asn1.c b/Cryptlib/OpenSSL/crypto/dsa/dsa_asn1.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dsa/dsa_depr.c b/Cryptlib/OpenSSL/crypto/dsa/dsa_depr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dsa/dsa_err.c b/Cryptlib/OpenSSL/crypto/dsa/dsa_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dsa/dsa_gen.c b/Cryptlib/OpenSSL/crypto/dsa/dsa_gen.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dsa/dsa_key.c b/Cryptlib/OpenSSL/crypto/dsa/dsa_key.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dsa/dsa_lib.c b/Cryptlib/OpenSSL/crypto/dsa/dsa_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dsa/dsa_ossl.c b/Cryptlib/OpenSSL/crypto/dsa/dsa_ossl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dsa/dsa_sign.c b/Cryptlib/OpenSSL/crypto/dsa/dsa_sign.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dsa/dsa_utl.c b/Cryptlib/OpenSSL/crypto/dsa/dsa_utl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dsa/dsa_vrf.c b/Cryptlib/OpenSSL/crypto/dsa/dsa_vrf.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dso/dso_dl.c b/Cryptlib/OpenSSL/crypto/dso/dso_dl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dso/dso_dlfcn.c b/Cryptlib/OpenSSL/crypto/dso/dso_dlfcn.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dso/dso_err.c b/Cryptlib/OpenSSL/crypto/dso/dso_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dso/dso_lib.c b/Cryptlib/OpenSSL/crypto/dso/dso_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dso/dso_null.c b/Cryptlib/OpenSSL/crypto/dso/dso_null.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dso/dso_openssl.c b/Cryptlib/OpenSSL/crypto/dso/dso_openssl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dso/dso_vms.c b/Cryptlib/OpenSSL/crypto/dso/dso_vms.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dso/dso_win32.c b/Cryptlib/OpenSSL/crypto/dso/dso_win32.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/dyn_lck.c b/Cryptlib/OpenSSL/crypto/dyn_lck.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ebcdic.c b/Cryptlib/OpenSSL/crypto/ebcdic.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ec/ec2_mult.c b/Cryptlib/OpenSSL/crypto/ec/ec2_mult.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ec/ec2_smpl.c b/Cryptlib/OpenSSL/crypto/ec/ec2_smpl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ec/ec_asn1.c b/Cryptlib/OpenSSL/crypto/ec/ec_asn1.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ec/ec_check.c b/Cryptlib/OpenSSL/crypto/ec/ec_check.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ec/ec_curve.c b/Cryptlib/OpenSSL/crypto/ec/ec_curve.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ec/ec_cvt.c b/Cryptlib/OpenSSL/crypto/ec/ec_cvt.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ec/ec_err.c b/Cryptlib/OpenSSL/crypto/ec/ec_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ec/ec_key.c b/Cryptlib/OpenSSL/crypto/ec/ec_key.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ec/ec_lib.c b/Cryptlib/OpenSSL/crypto/ec/ec_lib.c old mode 100755 new mode 100644 index bbf2799..e7d11ff --- a/Cryptlib/OpenSSL/crypto/ec/ec_lib.c +++ b/Cryptlib/OpenSSL/crypto/ec/ec_lib.c @@ -1010,7 +1010,7 @@ int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX * int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx) { - if (group->meth->dbl == 0) + if (group->meth->invert == 0) { ECerr(EC_F_EC_POINT_INVERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; diff --git a/Cryptlib/OpenSSL/crypto/ec/ec_mult.c b/Cryptlib/OpenSSL/crypto/ec/ec_mult.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ec/ec_print.c b/Cryptlib/OpenSSL/crypto/ec/ec_print.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ec/ecp_mont.c b/Cryptlib/OpenSSL/crypto/ec/ecp_mont.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ec/ecp_nist.c b/Cryptlib/OpenSSL/crypto/ec/ecp_nist.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ec/ecp_smpl.c b/Cryptlib/OpenSSL/crypto/ec/ecp_smpl.c old mode 100755 new mode 100644 index 66a92e2..b239088 --- a/Cryptlib/OpenSSL/crypto/ec/ecp_smpl.c +++ b/Cryptlib/OpenSSL/crypto/ec/ecp_smpl.c @@ -1540,9 +1540,8 @@ int ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ct int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx) { BN_CTX *new_ctx = NULL; - BIGNUM *tmp0, *tmp1; - size_t pow2 = 0; - BIGNUM **heap = NULL; + BIGNUM *tmp, *tmp_Z; + BIGNUM **prod_Z = NULL; size_t i; int ret = 0; @@ -1557,124 +1556,104 @@ int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT } BN_CTX_start(ctx); - tmp0 = BN_CTX_get(ctx); - tmp1 = BN_CTX_get(ctx); - if (tmp0 == NULL || tmp1 == NULL) goto err; + tmp = BN_CTX_get(ctx); + tmp_Z = BN_CTX_get(ctx); + if (tmp == NULL || tmp_Z == NULL) goto err; - /* Before converting the individual points, compute inverses of all Z values. - * Modular inversion is rather slow, but luckily we can do with a single - * explicit inversion, plus about 3 multiplications per input value. - */ - - pow2 = 1; - while (num > pow2) - pow2 <<= 1; - /* Now pow2 is the smallest power of 2 satifsying pow2 >= num. - * We need twice that. */ - pow2 <<= 1; - - heap = OPENSSL_malloc(pow2 * sizeof heap[0]); - if (heap == NULL) goto err; - - /* The array is used as a binary tree, exactly as in heapsort: - * - * heap[1] - * heap[2] heap[3] - * heap[4] heap[5] heap[6] heap[7] - * heap[8]heap[9] heap[10]heap[11] heap[12]heap[13] heap[14] heap[15] - * - * We put the Z's in the last line; - * then we set each other node to the product of its two child-nodes (where - * empty or 0 entries are treated as ones); - * then we invert heap[1]; - * then we invert each other node by replacing it by the product of its - * parent (after inversion) and its sibling (before inversion). - */ - heap[0] = NULL; - for (i = pow2/2 - 1; i > 0; i--) - heap[i] = NULL; + prod_Z = OPENSSL_malloc(num * sizeof prod_Z[0]); + if (prod_Z == NULL) goto err; for (i = 0; i < num; i++) - heap[pow2/2 + i] = &points[i]->Z; - for (i = pow2/2 + num; i < pow2; i++) - heap[i] = NULL; - - /* set each node to the product of its children */ - for (i = pow2/2 - 1; i > 0; i--) { - heap[i] = BN_new(); - if (heap[i] == NULL) goto err; - - if (heap[2*i] != NULL) - { - if ((heap[2*i + 1] == NULL) || BN_is_zero(heap[2*i + 1])) - { - if (!BN_copy(heap[i], heap[2*i])) goto err; - } - else - { - if (BN_is_zero(heap[2*i])) - { - if (!BN_copy(heap[i], heap[2*i + 1])) goto err; - } - else - { - if (!group->meth->field_mul(group, heap[i], - heap[2*i], heap[2*i + 1], ctx)) goto err; - } - } - } + prod_Z[i] = BN_new(); + if (prod_Z[i] == NULL) goto err; } - /* invert heap[1] */ - if (!BN_is_zero(heap[1])) - { - if (!BN_mod_inverse(heap[1], heap[1], &group->field, ctx)) - { - ECerr(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE, ERR_R_BN_LIB); - goto err; - } - } - if (group->meth->field_encode != 0) - { - /* in the Montgomery case, we just turned R*H (representing H) - * into 1/(R*H), but we need R*(1/H) (representing 1/H); - * i.e. we have need to multiply by the Montgomery factor twice */ - if (!group->meth->field_encode(group, heap[1], heap[1], ctx)) goto err; - if (!group->meth->field_encode(group, heap[1], heap[1], ctx)) goto err; - } + /* Set each prod_Z[i] to the product of points[0]->Z .. points[i]->Z, + * skipping any zero-valued inputs (pretend that they're 1). */ - /* set other heap[i]'s to their inverses */ - for (i = 2; i < pow2/2 + num; i += 2) + if (!BN_is_zero(&points[0]->Z)) { - /* i is even */ - if ((heap[i + 1] != NULL) && !BN_is_zero(heap[i + 1])) + if (!BN_copy(prod_Z[0], &points[0]->Z)) goto err; + } + else + { + if (group->meth->field_set_to_one != 0) { - if (!group->meth->field_mul(group, tmp0, heap[i/2], heap[i + 1], ctx)) goto err; - if (!group->meth->field_mul(group, tmp1, heap[i/2], heap[i], ctx)) goto err; - if (!BN_copy(heap[i], tmp0)) goto err; - if (!BN_copy(heap[i + 1], tmp1)) goto err; + if (!group->meth->field_set_to_one(group, prod_Z[0], ctx)) goto err; } else { - if (!BN_copy(heap[i], heap[i/2])) goto err; + if (!BN_one(prod_Z[0])) goto err; } } - /* we have replaced all non-zero Z's by their inverses, now fix up all the points */ + for (i = 1; i < num; i++) + { + if (!BN_is_zero(&points[i]->Z)) + { + if (!group->meth->field_mul(group, prod_Z[i], prod_Z[i - 1], &points[i]->Z, ctx)) goto err; + } + else + { + if (!BN_copy(prod_Z[i], prod_Z[i - 1])) goto err; + } + } + + /* Now use a single explicit inversion to replace every + * non-zero points[i]->Z by its inverse. */ + + if (!BN_mod_inverse(tmp, prod_Z[num - 1], &group->field, ctx)) + { + ECerr(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE, ERR_R_BN_LIB); + goto err; + } + if (group->meth->field_encode != 0) + { + /* In the Montgomery case, we just turned R*H (representing H) + * into 1/(R*H), but we need R*(1/H) (representing 1/H); + * i.e. we need to multiply by the Montgomery factor twice. */ + if (!group->meth->field_encode(group, tmp, tmp, ctx)) goto err; + if (!group->meth->field_encode(group, tmp, tmp, ctx)) goto err; + } + + for (i = num - 1; i > 0; --i) + { + /* Loop invariant: tmp is the product of the inverses of + * points[0]->Z .. points[i]->Z (zero-valued inputs skipped). */ + if (!BN_is_zero(&points[i]->Z)) + { + /* Set tmp_Z to the inverse of points[i]->Z (as product + * of Z inverses 0 .. i, Z values 0 .. i - 1). */ + if (!group->meth->field_mul(group, tmp_Z, prod_Z[i - 1], tmp, ctx)) goto err; + /* Update tmp to satisfy the loop invariant for i - 1. */ + if (!group->meth->field_mul(group, tmp, tmp, &points[i]->Z, ctx)) goto err; + /* Replace points[i]->Z by its inverse. */ + if (!BN_copy(&points[i]->Z, tmp_Z)) goto err; + } + } + + if (!BN_is_zero(&points[0]->Z)) + { + /* Replace points[0]->Z by its inverse. */ + if (!BN_copy(&points[0]->Z, tmp)) goto err; + } + + /* Finally, fix up the X and Y coordinates for all points. */ + for (i = 0; i < num; i++) { EC_POINT *p = points[i]; - + if (!BN_is_zero(&p->Z)) { /* turn (X, Y, 1/Z) into (X/Z^2, Y/Z^3, 1) */ - if (!group->meth->field_sqr(group, tmp1, &p->Z, ctx)) goto err; - if (!group->meth->field_mul(group, &p->X, &p->X, tmp1, ctx)) goto err; + if (!group->meth->field_sqr(group, tmp, &p->Z, ctx)) goto err; + if (!group->meth->field_mul(group, &p->X, &p->X, tmp, ctx)) goto err; + + if (!group->meth->field_mul(group, tmp, tmp, &p->Z, ctx)) goto err; + if (!group->meth->field_mul(group, &p->Y, &p->Y, tmp, ctx)) goto err; - if (!group->meth->field_mul(group, tmp1, tmp1, &p->Z, ctx)) goto err; - if (!group->meth->field_mul(group, &p->Y, &p->Y, tmp1, ctx)) goto err; - if (group->meth->field_set_to_one != 0) { if (!group->meth->field_set_to_one(group, &p->Z, ctx)) goto err; @@ -1688,20 +1667,19 @@ int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT } ret = 1; - + err: BN_CTX_end(ctx); if (new_ctx != NULL) BN_CTX_free(new_ctx); - if (heap != NULL) + if (prod_Z != NULL) { - /* heap[pow2/2] .. heap[pow2-1] have not been allocated locally! */ - for (i = pow2/2 - 1; i > 0; i--) + for (i = 0; i < num; i++) { - if (heap[i] != NULL) - BN_clear_free(heap[i]); + if (prod_Z[i] != NULL) + BN_clear_free(prod_Z[i]); } - OPENSSL_free(heap); + OPENSSL_free(prod_Z); } return ret; } diff --git a/Cryptlib/OpenSSL/crypto/ecdh/ech_err.c b/Cryptlib/OpenSSL/crypto/ecdh/ech_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ecdh/ech_key.c b/Cryptlib/OpenSSL/crypto/ecdh/ech_key.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ecdh/ech_lib.c b/Cryptlib/OpenSSL/crypto/ecdh/ech_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ecdh/ech_ossl.c b/Cryptlib/OpenSSL/crypto/ecdh/ech_ossl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ecdsa/ecs_asn1.c b/Cryptlib/OpenSSL/crypto/ecdsa/ecs_asn1.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ecdsa/ecs_err.c b/Cryptlib/OpenSSL/crypto/ecdsa/ecs_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ecdsa/ecs_lib.c b/Cryptlib/OpenSSL/crypto/ecdsa/ecs_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ecdsa/ecs_ossl.c b/Cryptlib/OpenSSL/crypto/ecdsa/ecs_ossl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ecdsa/ecs_sign.c b/Cryptlib/OpenSSL/crypto/ecdsa/ecs_sign.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ecdsa/ecs_vrf.c b/Cryptlib/OpenSSL/crypto/ecdsa/ecs_vrf.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_all.c b/Cryptlib/OpenSSL/crypto/engine/eng_all.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_cnf.c b/Cryptlib/OpenSSL/crypto/engine/eng_cnf.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_cryptodev.c b/Cryptlib/OpenSSL/crypto/engine/eng_cryptodev.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_ctrl.c b/Cryptlib/OpenSSL/crypto/engine/eng_ctrl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_dyn.c b/Cryptlib/OpenSSL/crypto/engine/eng_dyn.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_err.c b/Cryptlib/OpenSSL/crypto/engine/eng_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_fat.c b/Cryptlib/OpenSSL/crypto/engine/eng_fat.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_init.c b/Cryptlib/OpenSSL/crypto/engine/eng_init.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_lib.c b/Cryptlib/OpenSSL/crypto/engine/eng_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_list.c b/Cryptlib/OpenSSL/crypto/engine/eng_list.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c b/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_padlock.c b/Cryptlib/OpenSSL/crypto/engine/eng_padlock.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_pkey.c b/Cryptlib/OpenSSL/crypto/engine/eng_pkey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_table.c b/Cryptlib/OpenSSL/crypto/engine/eng_table.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/tb_cipher.c b/Cryptlib/OpenSSL/crypto/engine/tb_cipher.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/tb_dh.c b/Cryptlib/OpenSSL/crypto/engine/tb_dh.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/tb_digest.c b/Cryptlib/OpenSSL/crypto/engine/tb_digest.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/tb_dsa.c b/Cryptlib/OpenSSL/crypto/engine/tb_dsa.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/tb_ecdh.c b/Cryptlib/OpenSSL/crypto/engine/tb_ecdh.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/tb_ecdsa.c b/Cryptlib/OpenSSL/crypto/engine/tb_ecdsa.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/tb_rand.c b/Cryptlib/OpenSSL/crypto/engine/tb_rand.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/tb_rsa.c b/Cryptlib/OpenSSL/crypto/engine/tb_rsa.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/engine/tb_store.c b/Cryptlib/OpenSSL/crypto/engine/tb_store.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/err/err.c b/Cryptlib/OpenSSL/crypto/err/err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/err/err_all.c b/Cryptlib/OpenSSL/crypto/err/err_all.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/err/err_bio.c b/Cryptlib/OpenSSL/crypto/err/err_bio.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/err/err_def.c b/Cryptlib/OpenSSL/crypto/err/err_def.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/err/err_prn.c b/Cryptlib/OpenSSL/crypto/err/err_prn.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/err/err_str.c b/Cryptlib/OpenSSL/crypto/err/err_str.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/bio_b64.c b/Cryptlib/OpenSSL/crypto/evp/bio_b64.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/bio_enc.c b/Cryptlib/OpenSSL/crypto/evp/bio_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/bio_md.c b/Cryptlib/OpenSSL/crypto/evp/bio_md.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/bio_ok.c b/Cryptlib/OpenSSL/crypto/evp/bio_ok.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/c_all.c b/Cryptlib/OpenSSL/crypto/evp/c_all.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/c_allc.c b/Cryptlib/OpenSSL/crypto/evp/c_allc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/c_alld.c b/Cryptlib/OpenSSL/crypto/evp/c_alld.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/dig_eng.c b/Cryptlib/OpenSSL/crypto/evp/dig_eng.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/digest.c b/Cryptlib/OpenSSL/crypto/evp/digest.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/e_aes.c b/Cryptlib/OpenSSL/crypto/evp/e_aes.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/e_bf.c b/Cryptlib/OpenSSL/crypto/evp/e_bf.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/e_cast.c b/Cryptlib/OpenSSL/crypto/evp/e_cast.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/e_des.c b/Cryptlib/OpenSSL/crypto/evp/e_des.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/e_des3.c b/Cryptlib/OpenSSL/crypto/evp/e_des3.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/e_idea.c b/Cryptlib/OpenSSL/crypto/evp/e_idea.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/e_null.c b/Cryptlib/OpenSSL/crypto/evp/e_null.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/e_old.c b/Cryptlib/OpenSSL/crypto/evp/e_old.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/e_rc2.c b/Cryptlib/OpenSSL/crypto/evp/e_rc2.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/e_rc4.c b/Cryptlib/OpenSSL/crypto/evp/e_rc4.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/e_rc5.c b/Cryptlib/OpenSSL/crypto/evp/e_rc5.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/e_xcbc_d.c b/Cryptlib/OpenSSL/crypto/evp/e_xcbc_d.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/enc_min.c b/Cryptlib/OpenSSL/crypto/evp/enc_min.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/encode.c b/Cryptlib/OpenSSL/crypto/evp/encode.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_acnf.c b/Cryptlib/OpenSSL/crypto/evp/evp_acnf.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_cnf.c b/Cryptlib/OpenSSL/crypto/evp/evp_cnf.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_enc.c b/Cryptlib/OpenSSL/crypto/evp/evp_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_err.c b/Cryptlib/OpenSSL/crypto/evp/evp_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_key.c b/Cryptlib/OpenSSL/crypto/evp/evp_key.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_lib.c b/Cryptlib/OpenSSL/crypto/evp/evp_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_pbe.c b/Cryptlib/OpenSSL/crypto/evp/evp_pbe.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_pkey.c b/Cryptlib/OpenSSL/crypto/evp/evp_pkey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/m_dss.c b/Cryptlib/OpenSSL/crypto/evp/m_dss.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/m_dss1.c b/Cryptlib/OpenSSL/crypto/evp/m_dss1.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/m_ecdsa.c b/Cryptlib/OpenSSL/crypto/evp/m_ecdsa.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/m_md2.c b/Cryptlib/OpenSSL/crypto/evp/m_md2.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/m_md4.c b/Cryptlib/OpenSSL/crypto/evp/m_md4.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/m_md5.c b/Cryptlib/OpenSSL/crypto/evp/m_md5.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/m_null.c b/Cryptlib/OpenSSL/crypto/evp/m_null.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/m_ripemd.c b/Cryptlib/OpenSSL/crypto/evp/m_ripemd.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/m_sha.c b/Cryptlib/OpenSSL/crypto/evp/m_sha.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/m_sha1.c b/Cryptlib/OpenSSL/crypto/evp/m_sha1.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/names.c b/Cryptlib/OpenSSL/crypto/evp/names.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/p5_crpt.c b/Cryptlib/OpenSSL/crypto/evp/p5_crpt.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/p5_crpt2.c b/Cryptlib/OpenSSL/crypto/evp/p5_crpt2.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/p_dec.c b/Cryptlib/OpenSSL/crypto/evp/p_dec.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/p_enc.c b/Cryptlib/OpenSSL/crypto/evp/p_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/p_lib.c b/Cryptlib/OpenSSL/crypto/evp/p_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/p_open.c b/Cryptlib/OpenSSL/crypto/evp/p_open.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/p_seal.c b/Cryptlib/OpenSSL/crypto/evp/p_seal.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/p_sign.c b/Cryptlib/OpenSSL/crypto/evp/p_sign.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/evp/p_verify.c b/Cryptlib/OpenSSL/crypto/evp/p_verify.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ex_data.c b/Cryptlib/OpenSSL/crypto/ex_data.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/fips_err.c b/Cryptlib/OpenSSL/crypto/fips_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/hmac/hmac.c b/Cryptlib/OpenSSL/crypto/hmac/hmac.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/idea/i_cbc.c b/Cryptlib/OpenSSL/crypto/idea/i_cbc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/idea/i_cfb64.c b/Cryptlib/OpenSSL/crypto/idea/i_cfb64.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/idea/i_ecb.c b/Cryptlib/OpenSSL/crypto/idea/i_ecb.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/idea/i_ofb64.c b/Cryptlib/OpenSSL/crypto/idea/i_ofb64.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/idea/i_skey.c b/Cryptlib/OpenSSL/crypto/idea/i_skey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/krb5/krb5_asn.c b/Cryptlib/OpenSSL/crypto/krb5/krb5_asn.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/lhash/lh_stats.c b/Cryptlib/OpenSSL/crypto/lhash/lh_stats.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/lhash/lhash.c b/Cryptlib/OpenSSL/crypto/lhash/lhash.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/md2/md2_dgst.c b/Cryptlib/OpenSSL/crypto/md2/md2_dgst.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/md2/md2_one.c b/Cryptlib/OpenSSL/crypto/md2/md2_one.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/md4/md4_dgst.c b/Cryptlib/OpenSSL/crypto/md4/md4_dgst.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/md4/md4_one.c b/Cryptlib/OpenSSL/crypto/md4/md4_one.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/md5/md5_dgst.c b/Cryptlib/OpenSSL/crypto/md5/md5_dgst.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/md5/md5_one.c b/Cryptlib/OpenSSL/crypto/md5/md5_one.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/mem.c b/Cryptlib/OpenSSL/crypto/mem.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/mem_clr.c b/Cryptlib/OpenSSL/crypto/mem_clr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/mem_dbg.c b/Cryptlib/OpenSSL/crypto/mem_dbg.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/o_dir.c b/Cryptlib/OpenSSL/crypto/o_dir.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/o_init.c b/Cryptlib/OpenSSL/crypto/o_init.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/o_str.c b/Cryptlib/OpenSSL/crypto/o_str.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/o_time.c b/Cryptlib/OpenSSL/crypto/o_time.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/objects/o_names.c b/Cryptlib/OpenSSL/crypto/objects/o_names.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/objects/obj_dat.c b/Cryptlib/OpenSSL/crypto/objects/obj_dat.c old mode 100755 new mode 100644 index 760af16..cf5ba2a --- a/Cryptlib/OpenSSL/crypto/objects/obj_dat.c +++ b/Cryptlib/OpenSSL/crypto/objects/obj_dat.c @@ -444,11 +444,12 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) unsigned char *p; char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2]; - if ((a == NULL) || (a->data == NULL)) { - buf[0]='\0'; - return(0); - } + /* Ensure that, at every state, |buf| is NUL-terminated. */ + if (buf && buf_len > 0) + buf[0] = '\0'; + if ((a == NULL) || (a->data == NULL)) + return(0); if (!no_name && (nid=OBJ_obj2nid(a)) != NID_undef) { @@ -527,9 +528,10 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) i=(int)(l/40); l-=(long)(i*40); } - if (buf && (buf_len > 0)) + if (buf && (buf_len > 1)) { *buf++ = i + '0'; + *buf = '\0'; buf_len--; } n++; @@ -544,9 +546,10 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) i = strlen(bndec); if (buf) { - if (buf_len > 0) + if (buf_len > 1) { *buf++ = '.'; + *buf = '\0'; buf_len--; } BUF_strlcpy(buf,bndec,buf_len); @@ -786,4 +789,3 @@ err: OPENSSL_free(buf); return(ok); } - diff --git a/Cryptlib/OpenSSL/crypto/objects/obj_err.c b/Cryptlib/OpenSSL/crypto/objects/obj_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/objects/obj_lib.c b/Cryptlib/OpenSSL/crypto/objects/obj_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_asn.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_asn.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c old mode 100755 new mode 100644 index 92aba08..fb87cd7 --- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c +++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c @@ -464,6 +464,9 @@ OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req) ctx = OCSP_sendreq_new(b, path, req, -1); + if (!ctx) + return NULL; + do { rv = OCSP_sendreq_nbio(&resp, ctx); diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c old mode 100755 new mode 100644 index 441ccb7..5883b4e --- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c +++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c @@ -220,8 +220,19 @@ int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pss if (!*ppath) goto mem_err; + p = host; + if(host[0] == '[') + { + /* ipv6 literal */ + host++; + p = strchr(host, ']'); + if(!p) goto parse_err; + *p = '\0'; + p++; + } + /* Look for optional ':' for port number */ - if ((p = strchr(host, ':'))) + if ((p = strchr(p, ':'))) { *p = 0; port = p + 1; diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_srv.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_srv.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_all.c b/Cryptlib/OpenSSL/crypto/pem/pem_all.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_err.c b/Cryptlib/OpenSSL/crypto/pem/pem_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_info.c b/Cryptlib/OpenSSL/crypto/pem/pem_info.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_lib.c b/Cryptlib/OpenSSL/crypto/pem/pem_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_oth.c b/Cryptlib/OpenSSL/crypto/pem/pem_oth.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_pk8.c b/Cryptlib/OpenSSL/crypto/pem/pem_pk8.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_pkey.c b/Cryptlib/OpenSSL/crypto/pem/pem_pkey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_seal.c b/Cryptlib/OpenSSL/crypto/pem/pem_seal.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_sign.c b/Cryptlib/OpenSSL/crypto/pem/pem_sign.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_x509.c b/Cryptlib/OpenSSL/crypto/pem/pem_x509.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_xaux.c b/Cryptlib/OpenSSL/crypto/pem/pem_xaux.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_add.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_add.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_asn.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_asn.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_attr.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_attr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_crpt.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_crpt.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_crt.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_crt.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_decr.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_decr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_init.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_init.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_key.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_key.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_kiss.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_kiss.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_mutl.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_mutl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_npas.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_npas.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_p8d.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_p8d.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_p8e.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_p8e.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_utl.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_utl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/pk12err.c b/Cryptlib/OpenSSL/crypto/pkcs12/pk12err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_asn1.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_asn1.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_attr.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_attr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_doit.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_doit.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_lib.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_mime.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_mime.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pkcs7err.c b/Cryptlib/OpenSSL/crypto/pkcs7/pkcs7err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/pqueue/pqueue.c b/Cryptlib/OpenSSL/crypto/pqueue/pqueue.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rand/md_rand.c b/Cryptlib/OpenSSL/crypto/rand/md_rand.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rand/rand_egd.c b/Cryptlib/OpenSSL/crypto/rand/rand_egd.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rand/rand_eng.c b/Cryptlib/OpenSSL/crypto/rand/rand_eng.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rand/rand_err.c b/Cryptlib/OpenSSL/crypto/rand/rand_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rand/rand_lib.c b/Cryptlib/OpenSSL/crypto/rand/rand_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rand/rand_nw.c b/Cryptlib/OpenSSL/crypto/rand/rand_nw.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rand/rand_os2.c b/Cryptlib/OpenSSL/crypto/rand/rand_os2.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rand/rand_unix.c b/Cryptlib/OpenSSL/crypto/rand/rand_unix.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rand/rand_win.c b/Cryptlib/OpenSSL/crypto/rand/rand_win.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rand/randfile.c b/Cryptlib/OpenSSL/crypto/rand/randfile.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rc2/rc2_cbc.c b/Cryptlib/OpenSSL/crypto/rc2/rc2_cbc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rc2/rc2_ecb.c b/Cryptlib/OpenSSL/crypto/rc2/rc2_ecb.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rc2/rc2_skey.c b/Cryptlib/OpenSSL/crypto/rc2/rc2_skey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rc2/rc2cfb64.c b/Cryptlib/OpenSSL/crypto/rc2/rc2cfb64.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rc2/rc2ofb64.c b/Cryptlib/OpenSSL/crypto/rc2/rc2ofb64.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rc4/rc4_enc.c b/Cryptlib/OpenSSL/crypto/rc4/rc4_enc.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rc4/rc4_fblk.c b/Cryptlib/OpenSSL/crypto/rc4/rc4_fblk.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rc4/rc4_skey.c b/Cryptlib/OpenSSL/crypto/rc4/rc4_skey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ripemd/rmd_dgst.c b/Cryptlib/OpenSSL/crypto/ripemd/rmd_dgst.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ripemd/rmd_one.c b/Cryptlib/OpenSSL/crypto/ripemd/rmd_one.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_asn1.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_asn1.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_chk.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_chk.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_depr.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_depr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_eay.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_eay.c old mode 100755 new mode 100644 index d477f08..203d702 --- a/Cryptlib/OpenSSL/crypto/rsa/rsa_eay.c +++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_eay.c @@ -457,7 +457,7 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, if (padding == RSA_X931_PADDING) { BN_sub(f, rsa->n, ret); - if (BN_cmp(ret, f)) + if (BN_cmp(ret, f) > 0) res = f; else res = ret; diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_eng.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_eng.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_err.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_lib.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_none.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_none.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_null.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_null.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_oaep.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_oaep.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_pk1.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_pk1.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_pss.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_pss.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_saos.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_saos.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_sign.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_sign.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_ssl.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_ssl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_x931.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_x931.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_x931g.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_x931g.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/sha/sha1_one.c b/Cryptlib/OpenSSL/crypto/sha/sha1_one.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/sha/sha1dgst.c b/Cryptlib/OpenSSL/crypto/sha/sha1dgst.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/sha/sha256.c b/Cryptlib/OpenSSL/crypto/sha/sha256.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/sha/sha512.c b/Cryptlib/OpenSSL/crypto/sha/sha512.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/sha/sha_dgst.c b/Cryptlib/OpenSSL/crypto/sha/sha_dgst.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/sha/sha_one.c b/Cryptlib/OpenSSL/crypto/sha/sha_one.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/stack/stack.c b/Cryptlib/OpenSSL/crypto/stack/stack.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/store/str_err.c b/Cryptlib/OpenSSL/crypto/store/str_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/store/str_lib.c b/Cryptlib/OpenSSL/crypto/store/str_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/store/str_mem.c b/Cryptlib/OpenSSL/crypto/store/str_mem.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/store/str_meth.c b/Cryptlib/OpenSSL/crypto/store/str_meth.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/txt_db/txt_db.c b/Cryptlib/OpenSSL/crypto/txt_db/txt_db.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ui/ui_compat.c b/Cryptlib/OpenSSL/crypto/ui/ui_compat.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ui/ui_err.c b/Cryptlib/OpenSSL/crypto/ui/ui_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/ui/ui_lib.c b/Cryptlib/OpenSSL/crypto/ui/ui_lib.c old mode 100755 new mode 100644 index ac01008..67013f8 --- a/Cryptlib/OpenSSL/crypto/ui/ui_lib.c +++ b/Cryptlib/OpenSSL/crypto/ui/ui_lib.c @@ -897,9 +897,9 @@ int UI_set_result(UI *ui, UI_STRING *uis, const char *result) break; } } + } default: break; } - } return 0; } diff --git a/Cryptlib/OpenSSL/crypto/ui/ui_util.c b/Cryptlib/OpenSSL/crypto/ui/ui_util.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/uid.c b/Cryptlib/OpenSSL/crypto/uid.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/by_dir.c b/Cryptlib/OpenSSL/crypto/x509/by_dir.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/by_file.c b/Cryptlib/OpenSSL/crypto/x509/by_file.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_att.c b/Cryptlib/OpenSSL/crypto/x509/x509_att.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_cmp.c b/Cryptlib/OpenSSL/crypto/x509/x509_cmp.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_d2.c b/Cryptlib/OpenSSL/crypto/x509/x509_d2.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_def.c b/Cryptlib/OpenSSL/crypto/x509/x509_def.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_err.c b/Cryptlib/OpenSSL/crypto/x509/x509_err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_ext.c b/Cryptlib/OpenSSL/crypto/x509/x509_ext.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_lu.c b/Cryptlib/OpenSSL/crypto/x509/x509_lu.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_obj.c b/Cryptlib/OpenSSL/crypto/x509/x509_obj.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_r2x.c b/Cryptlib/OpenSSL/crypto/x509/x509_r2x.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_req.c b/Cryptlib/OpenSSL/crypto/x509/x509_req.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_set.c b/Cryptlib/OpenSSL/crypto/x509/x509_set.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_trs.c b/Cryptlib/OpenSSL/crypto/x509/x509_trs.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_txt.c b/Cryptlib/OpenSSL/crypto/x509/x509_txt.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_v3.c b/Cryptlib/OpenSSL/crypto/x509/x509_v3.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c b/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_vpm.c b/Cryptlib/OpenSSL/crypto/x509/x509_vpm.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509cset.c b/Cryptlib/OpenSSL/crypto/x509/x509cset.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509name.c b/Cryptlib/OpenSSL/crypto/x509/x509name.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509rset.c b/Cryptlib/OpenSSL/crypto/x509/x509rset.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509spki.c b/Cryptlib/OpenSSL/crypto/x509/x509spki.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x509type.c b/Cryptlib/OpenSSL/crypto/x509/x509type.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509/x_all.c b/Cryptlib/OpenSSL/crypto/x509/x_all.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/pcy_cache.c b/Cryptlib/OpenSSL/crypto/x509v3/pcy_cache.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/pcy_data.c b/Cryptlib/OpenSSL/crypto/x509v3/pcy_data.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/pcy_lib.c b/Cryptlib/OpenSSL/crypto/x509v3/pcy_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/pcy_map.c b/Cryptlib/OpenSSL/crypto/x509v3/pcy_map.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/pcy_node.c b/Cryptlib/OpenSSL/crypto/x509v3/pcy_node.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/pcy_tree.c b/Cryptlib/OpenSSL/crypto/x509v3/pcy_tree.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_addr.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_addr.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_akey.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_akey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_akeya.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_akeya.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_alt.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_alt.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_asid.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_asid.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_bcons.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_bcons.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_bitst.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_bitst.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_conf.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_conf.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_cpols.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_cpols.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_crld.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_crld.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_enum.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_enum.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_extku.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_extku.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_genn.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_genn.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_ia5.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_ia5.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_info.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_info.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_int.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_int.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_lib.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_lib.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_ncons.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_ncons.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_ocsp.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_ocsp.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_pcia.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_pcia.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_pcons.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_pcons.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_pku.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_pku.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_pmaps.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_pmaps.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_prn.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_prn.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_purp.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_purp.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_skey.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_skey.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_sxnet.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_sxnet.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_utl.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_utl.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3err.c b/Cryptlib/OpenSSL/crypto/x509v3/v3err.c old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/e_os.h b/Cryptlib/OpenSSL/e_os.h old mode 100755 new mode 100644 diff --git a/Cryptlib/OpenSSL/update.sh b/Cryptlib/OpenSSL/update.sh index 95875e7..897ef2d 100755 --- a/Cryptlib/OpenSSL/update.sh +++ b/Cryptlib/OpenSSL/update.sh @@ -1,501 +1,504 @@ #/bin/sh DIR=$1 +version="0.9.8zb" -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/e_os.h e_os.h -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/cryptlib.c crypto/cryptlib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dyn_lck.c crypto/dyn_lck.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/mem.c crypto/mem.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/mem_clr.c crypto/mem_clr.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/mem_dbg.c crypto/mem_dbg.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/cversion.c crypto/cversion.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ex_data.c crypto/ex_data.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/cpt_err.c crypto/cpt_err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ebcdic.c crypto/ebcdic.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/uid.c crypto/uid.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/o_time.c crypto/o_time.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/o_str.c crypto/o_str.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/o_dir.c crypto/o_dir.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/o_init.c crypto/o_init.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/fips_err.c crypto/fips_err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/md2/md2_dgst.c crypto/md2/md2_dgst.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/md2/md2_one.c crypto/md2/md2_one.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/md4/md4_dgst.c crypto/md4/md4_dgst.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/md4/md4_one.c crypto/md4/md4_one.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/md5/md5_dgst.c crypto/md5/md5_dgst.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/md5/md5_one.c crypto/md5/md5_one.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/sha/sha_dgst.c crypto/sha/sha_dgst.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/sha/sha1dgst.c crypto/sha/sha1dgst.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/sha/sha_one.c crypto/sha/sha_one.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/sha/sha1_one.c crypto/sha/sha1_one.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/sha/sha256.c crypto/sha/sha256.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/sha/sha512.c crypto/sha/sha512.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/hmac/hmac.c crypto/hmac/hmac.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ripemd/rmd_dgst.c crypto/ripemd/rmd_dgst.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ripemd/rmd_one.c crypto/ripemd/rmd_one.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/des_lib.c crypto/des/des_lib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/set_key.c crypto/des/set_key.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/ecb_enc.c crypto/des/ecb_enc.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/cbc_enc.c crypto/des/cbc_enc.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/ecb3_enc.c crypto/des/ecb3_enc.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/cfb64enc.c crypto/des/cfb64enc.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/cfb64ede.c crypto/des/cfb64ede.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/cfb_enc.c crypto/des/cfb_enc.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/ofb64ede.c crypto/des/ofb64ede.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/enc_read.c crypto/des/enc_read.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/enc_writ.c crypto/des/enc_writ.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/ofb64enc.c crypto/des/ofb64enc.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/ofb_enc.c crypto/des/ofb_enc.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/str2key.c crypto/des/str2key.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/pcbc_enc.c crypto/des/pcbc_enc.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/qud_cksm.c crypto/des/qud_cksm.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/rand_key.c crypto/des/rand_key.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/des_enc.c crypto/des/des_enc.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/fcrypt_b.c crypto/des/fcrypt_b.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/fcrypt.c crypto/des/fcrypt.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/xcbc_enc.c crypto/des/xcbc_enc.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/rpc_enc.c crypto/des/rpc_enc.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/cbc_cksm.c crypto/des/cbc_cksm.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/ede_cbcm_enc.c crypto/des/ede_cbcm_enc.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/des_old.c crypto/des/des_old.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/des_old2.c crypto/des/des_old2.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/des/read2pwd.c crypto/des/read2pwd.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rc2/rc2_ecb.c crypto/rc2/rc2_ecb.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rc2/rc2_skey.c crypto/rc2/rc2_skey.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rc2/rc2_cbc.c crypto/rc2/rc2_cbc.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rc2/rc2cfb64.c crypto/rc2/rc2cfb64.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rc2/rc2ofb64.c crypto/rc2/rc2ofb64.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rc4/rc4_enc.c crypto/rc4/rc4_enc.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rc4/rc4_skey.c crypto/rc4/rc4_skey.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rc4/rc4_fblk.c crypto/rc4/rc4_fblk.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/idea/i_cbc.c crypto/idea/i_cbc.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/idea/i_cfb64.c crypto/idea/i_cfb64.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/idea/i_ofb64.c crypto/idea/i_ofb64.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/idea/i_ecb.c crypto/idea/i_ecb.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/idea/i_skey.c crypto/idea/i_skey.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bf/bf_skey.c crypto/bf/bf_skey.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bf/bf_ecb.c crypto/bf/bf_ecb.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bf/bf_enc.c crypto/bf/bf_enc.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bf/bf_cfb64.c crypto/bf/bf_cfb64.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bf/bf_ofb64.c crypto/bf/bf_ofb64.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/cast/c_skey.c crypto/cast/c_skey.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/cast/c_ecb.c crypto/cast/c_ecb.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/cast/c_enc.c crypto/cast/c_enc.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/cast/c_cfb64.c crypto/cast/c_cfb64.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/cast/c_ofb64.c crypto/cast/c_ofb64.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/aes/aes_misc.c crypto/aes/aes_misc.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/aes/aes_ecb.c crypto/aes/aes_ecb.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/aes/aes_cfb.c crypto/aes/aes_cfb.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/aes/aes_ofb.c crypto/aes/aes_ofb.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/aes/aes_ctr.c crypto/aes/aes_ctr.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/aes/aes_ige.c crypto/aes/aes_ige.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/aes/aes_wrap.c crypto/aes/aes_wrap.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/aes/aes_core.c crypto/aes/aes_core.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/aes/aes_cbc.c crypto/aes/aes_cbc.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_add.c crypto/bn/bn_add.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_div.c crypto/bn/bn_div.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_exp.c crypto/bn/bn_exp.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_lib.c crypto/bn/bn_lib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_ctx.c crypto/bn/bn_ctx.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_mul.c crypto/bn/bn_mul.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_mod.c crypto/bn/bn_mod.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_print.c crypto/bn/bn_print.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_rand.c crypto/bn/bn_rand.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_shift.c crypto/bn/bn_shift.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_word.c crypto/bn/bn_word.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_blind.c crypto/bn/bn_blind.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_kron.c crypto/bn/bn_kron.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_sqrt.c crypto/bn/bn_sqrt.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_gcd.c crypto/bn/bn_gcd.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_prime.c crypto/bn/bn_prime.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_err.c crypto/bn/bn_err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_sqr.c crypto/bn/bn_sqr.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_asm.c crypto/bn/bn_asm.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_recp.c crypto/bn/bn_recp.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_mont.c crypto/bn/bn_mont.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_mpi.c crypto/bn/bn_mpi.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_exp2.c crypto/bn/bn_exp2.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_gf2m.c crypto/bn/bn_gf2m.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_nist.c crypto/bn/bn_nist.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_depr.c crypto/bn/bn_depr.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_x931p.c crypto/bn/bn_x931p.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_const.c crypto/bn/bn_const.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bn/bn_opt.c crypto/bn/bn_opt.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_eay.c crypto/rsa/rsa_eay.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_gen.c crypto/rsa/rsa_gen.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_lib.c crypto/rsa/rsa_lib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_sign.c crypto/rsa/rsa_sign.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_saos.c crypto/rsa/rsa_saos.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_err.c crypto/rsa/rsa_err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_pk1.c crypto/rsa/rsa_pk1.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_ssl.c crypto/rsa/rsa_ssl.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_none.c crypto/rsa/rsa_none.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_oaep.c crypto/rsa/rsa_oaep.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_chk.c crypto/rsa/rsa_chk.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_null.c crypto/rsa/rsa_null.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_pss.c crypto/rsa/rsa_pss.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_x931.c crypto/rsa/rsa_x931.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_x931g.c crypto/rsa/rsa_x931g.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_asn1.c crypto/rsa/rsa_asn1.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_depr.c crypto/rsa/rsa_depr.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rsa/rsa_eng.c crypto/rsa/rsa_eng.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dsa/dsa_gen.c crypto/dsa/dsa_gen.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dsa/dsa_key.c crypto/dsa/dsa_key.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dsa/dsa_lib.c crypto/dsa/dsa_lib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dsa/dsa_asn1.c crypto/dsa/dsa_asn1.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dsa/dsa_vrf.c crypto/dsa/dsa_vrf.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dsa/dsa_sign.c crypto/dsa/dsa_sign.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dsa/dsa_err.c crypto/dsa/dsa_err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dsa/dsa_ossl.c crypto/dsa/dsa_ossl.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dsa/dsa_depr.c crypto/dsa/dsa_depr.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dsa/dsa_utl.c crypto/dsa/dsa_utl.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dso/dso_dl.c crypto/dso/dso_dl.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dso/dso_dlfcn.c crypto/dso/dso_dlfcn.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dso/dso_err.c crypto/dso/dso_err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dso/dso_lib.c crypto/dso/dso_lib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dso/dso_null.c crypto/dso/dso_null.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dso/dso_openssl.c crypto/dso/dso_openssl.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dso/dso_win32.c crypto/dso/dso_win32.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dso/dso_vms.c crypto/dso/dso_vms.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dh/dh_asn1.c crypto/dh/dh_asn1.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dh/dh_gen.c crypto/dh/dh_gen.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dh/dh_key.c crypto/dh/dh_key.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dh/dh_lib.c crypto/dh/dh_lib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dh/dh_check.c crypto/dh/dh_check.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dh/dh_err.c crypto/dh/dh_err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/dh/dh_depr.c crypto/dh/dh_depr.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ec_lib.c crypto/ec/ec_lib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ecp_smpl.c crypto/ec/ecp_smpl.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ecp_mont.c crypto/ec/ecp_mont.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ecp_nist.c crypto/ec/ecp_nist.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ec_cvt.c crypto/ec/ec_cvt.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ec_mult.c crypto/ec/ec_mult.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ec_err.c crypto/ec/ec_err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ec_curve.c crypto/ec/ec_curve.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ec_check.c crypto/ec/ec_check.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ec_print.c crypto/ec/ec_print.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ec_asn1.c crypto/ec/ec_asn1.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ec_key.c crypto/ec/ec_key.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ec2_smpl.c crypto/ec/ec2_smpl.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ec/ec2_mult.c crypto/ec/ec2_mult.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ecdh/ech_lib.c crypto/ecdh/ech_lib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ecdh/ech_ossl.c crypto/ecdh/ech_ossl.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ecdh/ech_key.c crypto/ecdh/ech_key.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ecdh/ech_err.c crypto/ecdh/ech_err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ecdsa/ecs_lib.c crypto/ecdsa/ecs_lib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ecdsa/ecs_asn1.c crypto/ecdsa/ecs_asn1.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ecdsa/ecs_ossl.c crypto/ecdsa/ecs_ossl.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ecdsa/ecs_sign.c crypto/ecdsa/ecs_sign.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ecdsa/ecs_vrf.c crypto/ecdsa/ecs_vrf.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ecdsa/ecs_err.c crypto/ecdsa/ecs_err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/buffer/buffer.c crypto/buffer/buffer.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/buffer/buf_str.c crypto/buffer/buf_str.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/buffer/buf_err.c crypto/buffer/buf_err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/bio_lib.c crypto/bio/bio_lib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/bio_cb.c crypto/bio/bio_cb.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/bio_err.c crypto/bio/bio_err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/bss_mem.c crypto/bio/bss_mem.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/bss_null.c crypto/bio/bss_null.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/bss_fd.c crypto/bio/bss_fd.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/bss_file.c crypto/bio/bss_file.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/bf_null.c crypto/bio/bf_null.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/bf_buff.c crypto/bio/bf_buff.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/b_dump.c crypto/bio/b_dump.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/bf_nbio.c crypto/bio/bf_nbio.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/bss_log.c crypto/bio/bss_log.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/bss_bio.c crypto/bio/bss_bio.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/bio/bss_dgram.c crypto/bio/bss_dgram.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/stack/stack.c crypto/stack/stack.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/lhash/lhash.c crypto/lhash/lhash.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/lhash/lh_stats.c crypto/lhash/lh_stats.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rand/md_rand.c crypto/rand/md_rand.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rand/randfile.c crypto/rand/randfile.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rand/rand_lib.c crypto/rand/rand_lib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rand/rand_eng.c crypto/rand/rand_eng.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rand/rand_err.c crypto/rand/rand_err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rand/rand_egd.c crypto/rand/rand_egd.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rand/rand_win.c crypto/rand/rand_win.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rand/rand_unix.c crypto/rand/rand_unix.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rand/rand_os2.c crypto/rand/rand_os2.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/rand/rand_nw.c crypto/rand/rand_nw.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/err/err.c crypto/err/err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/err/err_def.c crypto/err/err_def.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/err/err_all.c crypto/err/err_all.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/err/err_prn.c crypto/err/err_prn.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/err/err_str.c crypto/err/err_str.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/err/err_bio.c crypto/err/err_bio.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/objects/o_names.c crypto/objects/o_names.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/objects/obj_dat.c crypto/objects/obj_dat.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/objects/obj_lib.c crypto/objects/obj_lib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/objects/obj_err.c crypto/objects/obj_err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/encode.c crypto/evp/encode.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/digest.c crypto/evp/digest.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/dig_eng.c crypto/evp/dig_eng.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/evp_enc.c crypto/evp/evp_enc.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/evp_key.c crypto/evp/evp_key.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/evp_acnf.c crypto/evp/evp_acnf.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/evp_cnf.c crypto/evp/evp_cnf.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/e_des.c crypto/evp/e_des.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/e_bf.c crypto/evp/e_bf.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/e_idea.c crypto/evp/e_idea.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/e_des3.c crypto/evp/e_des3.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/e_rc4.c crypto/evp/e_rc4.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/e_aes.c crypto/evp/e_aes.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/names.c crypto/evp/names.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/e_xcbc_d.c crypto/evp/e_xcbc_d.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/e_rc2.c crypto/evp/e_rc2.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/e_cast.c crypto/evp/e_cast.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/e_rc5.c crypto/evp/e_rc5.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/enc_min.c crypto/evp/enc_min.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/m_null.c crypto/evp/m_null.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/m_md2.c crypto/evp/m_md2.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/m_md4.c crypto/evp/m_md4.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/m_md5.c crypto/evp/m_md5.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/m_sha.c crypto/evp/m_sha.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/m_sha1.c crypto/evp/m_sha1.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/m_dss.c crypto/evp/m_dss.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/m_dss1.c crypto/evp/m_dss1.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/m_ripemd.c crypto/evp/m_ripemd.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/m_ecdsa.c crypto/evp/m_ecdsa.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/p_open.c crypto/evp/p_open.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/p_seal.c crypto/evp/p_seal.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/p_sign.c crypto/evp/p_sign.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/p_verify.c crypto/evp/p_verify.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/p_lib.c crypto/evp/p_lib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/p_enc.c crypto/evp/p_enc.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/p_dec.c crypto/evp/p_dec.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/bio_md.c crypto/evp/bio_md.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/bio_b64.c crypto/evp/bio_b64.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/bio_enc.c crypto/evp/bio_enc.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/evp_err.c crypto/evp/evp_err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/e_null.c crypto/evp/e_null.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/c_all.c crypto/evp/c_all.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/c_allc.c crypto/evp/c_allc.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/c_alld.c crypto/evp/c_alld.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/evp_lib.c crypto/evp/evp_lib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/bio_ok.c crypto/evp/bio_ok.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/evp_pkey.c crypto/evp/evp_pkey.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/evp_pbe.c crypto/evp/evp_pbe.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/p5_crpt.c crypto/evp/p5_crpt.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/p5_crpt2.c crypto/evp/p5_crpt2.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/evp/e_old.c crypto/evp/e_old.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_object.c crypto/asn1/a_object.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_bitstr.c crypto/asn1/a_bitstr.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_utctm.c crypto/asn1/a_utctm.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_gentm.c crypto/asn1/a_gentm.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_time.c crypto/asn1/a_time.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_int.c crypto/asn1/a_int.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_octet.c crypto/asn1/a_octet.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_print.c crypto/asn1/a_print.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_type.c crypto/asn1/a_type.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_set.c crypto/asn1/a_set.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_dup.c crypto/asn1/a_dup.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_d2i_fp.c crypto/asn1/a_d2i_fp.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_i2d_fp.c crypto/asn1/a_i2d_fp.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_enum.c crypto/asn1/a_enum.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_utf8.c crypto/asn1/a_utf8.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_sign.c crypto/asn1/a_sign.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_digest.c crypto/asn1/a_digest.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_verify.c crypto/asn1/a_verify.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_mbstr.c crypto/asn1/a_mbstr.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_strex.c crypto/asn1/a_strex.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_algor.c crypto/asn1/x_algor.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_val.c crypto/asn1/x_val.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_pubkey.c crypto/asn1/x_pubkey.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_sig.c crypto/asn1/x_sig.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_req.c crypto/asn1/x_req.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_attrib.c crypto/asn1/x_attrib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_bignum.c crypto/asn1/x_bignum.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_long.c crypto/asn1/x_long.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_name.c crypto/asn1/x_name.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_x509.c crypto/asn1/x_x509.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_x509a.c crypto/asn1/x_x509a.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_crl.c crypto/asn1/x_crl.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_info.c crypto/asn1/x_info.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_spki.c crypto/asn1/x_spki.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/nsseq.c crypto/asn1/nsseq.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/d2i_pu.c crypto/asn1/d2i_pu.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/d2i_pr.c crypto/asn1/d2i_pr.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/i2d_pu.c crypto/asn1/i2d_pu.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/i2d_pr.c crypto/asn1/i2d_pr.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/t_req.c crypto/asn1/t_req.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/t_x509.c crypto/asn1/t_x509.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/t_x509a.c crypto/asn1/t_x509a.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/t_crl.c crypto/asn1/t_crl.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/t_pkey.c crypto/asn1/t_pkey.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/t_spki.c crypto/asn1/t_spki.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/t_bitst.c crypto/asn1/t_bitst.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/tasn_new.c crypto/asn1/tasn_new.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/tasn_fre.c crypto/asn1/tasn_fre.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/tasn_enc.c crypto/asn1/tasn_enc.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/tasn_dec.c crypto/asn1/tasn_dec.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/tasn_utl.c crypto/asn1/tasn_utl.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/tasn_typ.c crypto/asn1/tasn_typ.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/f_int.c crypto/asn1/f_int.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/f_string.c crypto/asn1/f_string.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/n_pkey.c crypto/asn1/n_pkey.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/f_enum.c crypto/asn1/f_enum.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_hdr.c crypto/asn1/a_hdr.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_pkey.c crypto/asn1/x_pkey.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_bool.c crypto/asn1/a_bool.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/x_exten.c crypto/asn1/x_exten.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/asn_mime.c crypto/asn1/asn_mime.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/asn1_gen.c crypto/asn1/asn1_gen.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/asn1_par.c crypto/asn1/asn1_par.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/asn1_lib.c crypto/asn1/asn1_lib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/asn1_err.c crypto/asn1/asn1_err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_meth.c crypto/asn1/a_meth.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_bytes.c crypto/asn1/a_bytes.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/a_strnid.c crypto/asn1/a_strnid.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/evp_asn1.c crypto/asn1/evp_asn1.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/asn_pack.c crypto/asn1/asn_pack.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/p5_pbe.c crypto/asn1/p5_pbe.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/p5_pbev2.c crypto/asn1/p5_pbev2.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/p8_pkey.c crypto/asn1/p8_pkey.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/asn1/asn_moid.c crypto/asn1/asn_moid.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pem/pem_sign.c crypto/pem/pem_sign.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pem/pem_seal.c crypto/pem/pem_seal.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pem/pem_info.c crypto/pem/pem_info.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pem/pem_lib.c crypto/pem/pem_lib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pem/pem_all.c crypto/pem/pem_all.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pem/pem_err.c crypto/pem/pem_err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pem/pem_x509.c crypto/pem/pem_x509.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pem/pem_xaux.c crypto/pem/pem_xaux.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pem/pem_oth.c crypto/pem/pem_oth.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pem/pem_pk8.c crypto/pem/pem_pk8.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pem/pem_pkey.c crypto/pem/pem_pkey.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_def.c crypto/x509/x509_def.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_d2.c crypto/x509/x509_d2.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_r2x.c crypto/x509/x509_r2x.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_cmp.c crypto/x509/x509_cmp.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_obj.c crypto/x509/x509_obj.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_req.c crypto/x509/x509_req.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509spki.c crypto/x509/x509spki.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_set.c crypto/x509/x509_set.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509cset.c crypto/x509/x509cset.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509rset.c crypto/x509/x509rset.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_err.c crypto/x509/x509_err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509name.c crypto/x509/x509name.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_v3.c crypto/x509/x509_v3.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_ext.c crypto/x509/x509_ext.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_att.c crypto/x509/x509_att.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509type.c crypto/x509/x509type.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_lu.c crypto/x509/x509_lu.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x_all.c crypto/x509/x_all.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_txt.c crypto/x509/x509_txt.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_trs.c crypto/x509/x509_trs.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/by_file.c crypto/x509/by_file.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/by_dir.c crypto/x509/by_dir.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509/x509_vpm.c crypto/x509/x509_vpm.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_bcons.c crypto/x509v3/v3_bcons.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_bitst.c crypto/x509v3/v3_bitst.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_conf.c crypto/x509v3/v3_conf.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_extku.c crypto/x509v3/v3_extku.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_ia5.c crypto/x509v3/v3_ia5.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_lib.c crypto/x509v3/v3_lib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_prn.c crypto/x509v3/v3_prn.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_utl.c crypto/x509v3/v3_utl.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3err.c crypto/x509v3/v3err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_genn.c crypto/x509v3/v3_genn.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_alt.c crypto/x509v3/v3_alt.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_skey.c crypto/x509v3/v3_skey.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_akey.c crypto/x509v3/v3_akey.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_pku.c crypto/x509v3/v3_pku.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_int.c crypto/x509v3/v3_int.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_enum.c crypto/x509v3/v3_enum.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_sxnet.c crypto/x509v3/v3_sxnet.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_cpols.c crypto/x509v3/v3_cpols.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_crld.c crypto/x509v3/v3_crld.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_purp.c crypto/x509v3/v3_purp.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_info.c crypto/x509v3/v3_info.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_ocsp.c crypto/x509v3/v3_ocsp.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_akeya.c crypto/x509v3/v3_akeya.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_pmaps.c crypto/x509v3/v3_pmaps.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_pcons.c crypto/x509v3/v3_pcons.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_ncons.c crypto/x509v3/v3_ncons.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_pcia.c crypto/x509v3/v3_pcia.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_pci.c crypto/x509v3/v3_pci.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/pcy_cache.c crypto/x509v3/pcy_cache.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/pcy_node.c crypto/x509v3/pcy_node.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/pcy_data.c crypto/x509v3/pcy_data.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/pcy_map.c crypto/x509v3/pcy_map.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/pcy_tree.c crypto/x509v3/pcy_tree.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/pcy_lib.c crypto/x509v3/pcy_lib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_asid.c crypto/x509v3/v3_asid.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/x509v3/v3_addr.c crypto/x509v3/v3_addr.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/conf/conf_err.c crypto/conf/conf_err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/conf/conf_lib.c crypto/conf/conf_lib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/conf/conf_api.c crypto/conf/conf_api.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/conf/conf_def.c crypto/conf/conf_def.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/conf/conf_mod.c crypto/conf/conf_mod.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/conf/conf_mall.c crypto/conf/conf_mall.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/conf/conf_sap.c crypto/conf/conf_sap.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/txt_db/txt_db.c crypto/txt_db/txt_db.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs7/pk7_asn1.c crypto/pkcs7/pk7_asn1.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs7/pk7_lib.c crypto/pkcs7/pk7_lib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs7/pkcs7err.c crypto/pkcs7/pkcs7err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs7/pk7_doit.c crypto/pkcs7/pk7_doit.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs7/pk7_smime.c crypto/pkcs7/pk7_smime.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs7/pk7_attr.c crypto/pkcs7/pk7_attr.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs7/pk7_mime.c crypto/pkcs7/pk7_mime.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_add.c crypto/pkcs12/p12_add.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_asn.c crypto/pkcs12/p12_asn.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_attr.c crypto/pkcs12/p12_attr.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_crpt.c crypto/pkcs12/p12_crpt.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_crt.c crypto/pkcs12/p12_crt.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_decr.c crypto/pkcs12/p12_decr.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_init.c crypto/pkcs12/p12_init.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_key.c crypto/pkcs12/p12_key.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_kiss.c crypto/pkcs12/p12_kiss.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_mutl.c crypto/pkcs12/p12_mutl.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_utl.c crypto/pkcs12/p12_utl.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_npas.c crypto/pkcs12/p12_npas.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/pk12err.c crypto/pkcs12/pk12err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_p8d.c crypto/pkcs12/p12_p8d.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pkcs12/p12_p8e.c crypto/pkcs12/p12_p8e.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/comp/comp_lib.c crypto/comp/comp_lib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/comp/comp_err.c crypto/comp/comp_err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/comp/c_rle.c crypto/comp/c_rle.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/comp/c_zlib.c crypto/comp/c_zlib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_err.c crypto/engine/eng_err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_lib.c crypto/engine/eng_lib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_list.c crypto/engine/eng_list.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_init.c crypto/engine/eng_init.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_ctrl.c crypto/engine/eng_ctrl.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_table.c crypto/engine/eng_table.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_pkey.c crypto/engine/eng_pkey.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_fat.c crypto/engine/eng_fat.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_all.c crypto/engine/eng_all.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/tb_rsa.c crypto/engine/tb_rsa.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/tb_dsa.c crypto/engine/tb_dsa.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/tb_ecdsa.c crypto/engine/tb_ecdsa.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/tb_dh.c crypto/engine/tb_dh.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/tb_ecdh.c crypto/engine/tb_ecdh.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/tb_rand.c crypto/engine/tb_rand.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/tb_store.c crypto/engine/tb_store.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/tb_cipher.c crypto/engine/tb_cipher.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/tb_digest.c crypto/engine/tb_digest.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_openssl.c crypto/engine/eng_openssl.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_cnf.c crypto/engine/eng_cnf.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_dyn.c crypto/engine/eng_dyn.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_cryptodev.c crypto/engine/eng_cryptodev.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/engine/eng_padlock.c crypto/engine/eng_padlock.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ocsp/ocsp_asn.c crypto/ocsp/ocsp_asn.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ocsp/ocsp_ext.c crypto/ocsp/ocsp_ext.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ocsp/ocsp_ht.c crypto/ocsp/ocsp_ht.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ocsp/ocsp_lib.c crypto/ocsp/ocsp_lib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ocsp/ocsp_cl.c crypto/ocsp/ocsp_cl.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ocsp/ocsp_srv.c crypto/ocsp/ocsp_srv.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ocsp/ocsp_prn.c crypto/ocsp/ocsp_prn.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ocsp/ocsp_vfy.c crypto/ocsp/ocsp_vfy.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ocsp/ocsp_err.c crypto/ocsp/ocsp_err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ui/ui_err.c crypto/ui/ui_err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ui/ui_lib.c crypto/ui/ui_lib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ui/ui_util.c crypto/ui/ui_util.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/ui/ui_compat.c crypto/ui/ui_compat.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/krb5/krb5_asn.c crypto/krb5/krb5_asn.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/store/str_err.c crypto/store/str_err.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/store/str_lib.c crypto/store/str_lib.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/store/str_meth.c crypto/store/str_meth.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/store/str_mem.c crypto/store/str_mem.c -install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-0.9.8za/crypto/pqueue/pqueue.c crypto/pqueue/pqueue.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/e_os.h e_os.h +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/cryptlib.c crypto/cryptlib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dyn_lck.c crypto/dyn_lck.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/mem.c crypto/mem.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/mem_clr.c crypto/mem_clr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/mem_dbg.c crypto/mem_dbg.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/cversion.c crypto/cversion.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ex_data.c crypto/ex_data.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/cpt_err.c crypto/cpt_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ebcdic.c crypto/ebcdic.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/uid.c crypto/uid.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/o_time.c crypto/o_time.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/o_str.c crypto/o_str.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/o_dir.c crypto/o_dir.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/o_init.c crypto/o_init.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/fips_err.c crypto/fips_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/md2/md2_dgst.c crypto/md2/md2_dgst.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/md2/md2_one.c crypto/md2/md2_one.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/md4/md4_dgst.c crypto/md4/md4_dgst.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/md4/md4_one.c crypto/md4/md4_one.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/md5/md5_dgst.c crypto/md5/md5_dgst.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/md5/md5_one.c crypto/md5/md5_one.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/sha/sha_dgst.c crypto/sha/sha_dgst.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/sha/sha1dgst.c crypto/sha/sha1dgst.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/sha/sha_one.c crypto/sha/sha_one.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/sha/sha1_one.c crypto/sha/sha1_one.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/sha/sha256.c crypto/sha/sha256.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/sha/sha512.c crypto/sha/sha512.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/hmac/hmac.c crypto/hmac/hmac.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ripemd/rmd_dgst.c crypto/ripemd/rmd_dgst.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ripemd/rmd_one.c crypto/ripemd/rmd_one.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/des_lib.c crypto/des/des_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/set_key.c crypto/des/set_key.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/ecb_enc.c crypto/des/ecb_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/cbc_enc.c crypto/des/cbc_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/ecb3_enc.c crypto/des/ecb3_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/cfb64enc.c crypto/des/cfb64enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/cfb64ede.c crypto/des/cfb64ede.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/cfb_enc.c crypto/des/cfb_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/ofb64ede.c crypto/des/ofb64ede.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/enc_read.c crypto/des/enc_read.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/enc_writ.c crypto/des/enc_writ.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/ofb64enc.c crypto/des/ofb64enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/ofb_enc.c crypto/des/ofb_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/str2key.c crypto/des/str2key.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/pcbc_enc.c crypto/des/pcbc_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/qud_cksm.c crypto/des/qud_cksm.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/rand_key.c crypto/des/rand_key.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/des_enc.c crypto/des/des_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/fcrypt_b.c crypto/des/fcrypt_b.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/fcrypt.c crypto/des/fcrypt.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/xcbc_enc.c crypto/des/xcbc_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/rpc_enc.c crypto/des/rpc_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/cbc_cksm.c crypto/des/cbc_cksm.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/ede_cbcm_enc.c crypto/des/ede_cbcm_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/des_old.c crypto/des/des_old.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/des_old2.c crypto/des/des_old2.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/des/read2pwd.c crypto/des/read2pwd.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rc2/rc2_ecb.c crypto/rc2/rc2_ecb.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rc2/rc2_skey.c crypto/rc2/rc2_skey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rc2/rc2_cbc.c crypto/rc2/rc2_cbc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rc2/rc2cfb64.c crypto/rc2/rc2cfb64.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rc2/rc2ofb64.c crypto/rc2/rc2ofb64.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rc4/rc4_enc.c crypto/rc4/rc4_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rc4/rc4_skey.c crypto/rc4/rc4_skey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rc4/rc4_fblk.c crypto/rc4/rc4_fblk.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/idea/i_cbc.c crypto/idea/i_cbc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/idea/i_cfb64.c crypto/idea/i_cfb64.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/idea/i_ofb64.c crypto/idea/i_ofb64.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/idea/i_ecb.c crypto/idea/i_ecb.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/idea/i_skey.c crypto/idea/i_skey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bf/bf_skey.c crypto/bf/bf_skey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bf/bf_ecb.c crypto/bf/bf_ecb.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bf/bf_enc.c crypto/bf/bf_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bf/bf_cfb64.c crypto/bf/bf_cfb64.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bf/bf_ofb64.c crypto/bf/bf_ofb64.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/cast/c_skey.c crypto/cast/c_skey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/cast/c_ecb.c crypto/cast/c_ecb.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/cast/c_enc.c crypto/cast/c_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/cast/c_cfb64.c crypto/cast/c_cfb64.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/cast/c_ofb64.c crypto/cast/c_ofb64.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/aes/aes_misc.c crypto/aes/aes_misc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/aes/aes_ecb.c crypto/aes/aes_ecb.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/aes/aes_cfb.c crypto/aes/aes_cfb.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/aes/aes_ofb.c crypto/aes/aes_ofb.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/aes/aes_ctr.c crypto/aes/aes_ctr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/aes/aes_ige.c crypto/aes/aes_ige.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/aes/aes_wrap.c crypto/aes/aes_wrap.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/aes/aes_core.c crypto/aes/aes_core.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/aes/aes_cbc.c crypto/aes/aes_cbc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_add.c crypto/bn/bn_add.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_div.c crypto/bn/bn_div.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_exp.c crypto/bn/bn_exp.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_lib.c crypto/bn/bn_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_ctx.c crypto/bn/bn_ctx.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_mul.c crypto/bn/bn_mul.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_mod.c crypto/bn/bn_mod.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_print.c crypto/bn/bn_print.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_rand.c crypto/bn/bn_rand.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_shift.c crypto/bn/bn_shift.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_word.c crypto/bn/bn_word.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_blind.c crypto/bn/bn_blind.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_kron.c crypto/bn/bn_kron.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_sqrt.c crypto/bn/bn_sqrt.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_gcd.c crypto/bn/bn_gcd.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_prime.c crypto/bn/bn_prime.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_err.c crypto/bn/bn_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_sqr.c crypto/bn/bn_sqr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_asm.c crypto/bn/bn_asm.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_recp.c crypto/bn/bn_recp.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_mont.c crypto/bn/bn_mont.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_mpi.c crypto/bn/bn_mpi.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_exp2.c crypto/bn/bn_exp2.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_gf2m.c crypto/bn/bn_gf2m.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_nist.c crypto/bn/bn_nist.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_depr.c crypto/bn/bn_depr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_x931p.c crypto/bn/bn_x931p.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_const.c crypto/bn/bn_const.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bn/bn_opt.c crypto/bn/bn_opt.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_eay.c crypto/rsa/rsa_eay.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_gen.c crypto/rsa/rsa_gen.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_lib.c crypto/rsa/rsa_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_sign.c crypto/rsa/rsa_sign.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_saos.c crypto/rsa/rsa_saos.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_err.c crypto/rsa/rsa_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_pk1.c crypto/rsa/rsa_pk1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_ssl.c crypto/rsa/rsa_ssl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_none.c crypto/rsa/rsa_none.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_oaep.c crypto/rsa/rsa_oaep.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_chk.c crypto/rsa/rsa_chk.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_null.c crypto/rsa/rsa_null.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_pss.c crypto/rsa/rsa_pss.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_x931.c crypto/rsa/rsa_x931.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_x931g.c crypto/rsa/rsa_x931g.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_asn1.c crypto/rsa/rsa_asn1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_depr.c crypto/rsa/rsa_depr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rsa/rsa_eng.c crypto/rsa/rsa_eng.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dsa/dsa_gen.c crypto/dsa/dsa_gen.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dsa/dsa_key.c crypto/dsa/dsa_key.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dsa/dsa_lib.c crypto/dsa/dsa_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dsa/dsa_asn1.c crypto/dsa/dsa_asn1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dsa/dsa_vrf.c crypto/dsa/dsa_vrf.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dsa/dsa_sign.c crypto/dsa/dsa_sign.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dsa/dsa_err.c crypto/dsa/dsa_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dsa/dsa_ossl.c crypto/dsa/dsa_ossl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dsa/dsa_depr.c crypto/dsa/dsa_depr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dsa/dsa_utl.c crypto/dsa/dsa_utl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dso/dso_dl.c crypto/dso/dso_dl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dso/dso_dlfcn.c crypto/dso/dso_dlfcn.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dso/dso_err.c crypto/dso/dso_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dso/dso_lib.c crypto/dso/dso_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dso/dso_null.c crypto/dso/dso_null.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dso/dso_openssl.c crypto/dso/dso_openssl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dso/dso_win32.c crypto/dso/dso_win32.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dso/dso_vms.c crypto/dso/dso_vms.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dh/dh_asn1.c crypto/dh/dh_asn1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dh/dh_gen.c crypto/dh/dh_gen.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dh/dh_key.c crypto/dh/dh_key.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dh/dh_lib.c crypto/dh/dh_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dh/dh_check.c crypto/dh/dh_check.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dh/dh_err.c crypto/dh/dh_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/dh/dh_depr.c crypto/dh/dh_depr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ec_lib.c crypto/ec/ec_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ecp_smpl.c crypto/ec/ecp_smpl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ecp_mont.c crypto/ec/ecp_mont.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ecp_nist.c crypto/ec/ecp_nist.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ec_cvt.c crypto/ec/ec_cvt.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ec_mult.c crypto/ec/ec_mult.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ec_err.c crypto/ec/ec_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ec_curve.c crypto/ec/ec_curve.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ec_check.c crypto/ec/ec_check.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ec_print.c crypto/ec/ec_print.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ec_asn1.c crypto/ec/ec_asn1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ec_key.c crypto/ec/ec_key.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ec2_smpl.c crypto/ec/ec2_smpl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ec/ec2_mult.c crypto/ec/ec2_mult.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ecdh/ech_lib.c crypto/ecdh/ech_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ecdh/ech_ossl.c crypto/ecdh/ech_ossl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ecdh/ech_key.c crypto/ecdh/ech_key.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ecdh/ech_err.c crypto/ecdh/ech_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ecdsa/ecs_lib.c crypto/ecdsa/ecs_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ecdsa/ecs_asn1.c crypto/ecdsa/ecs_asn1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ecdsa/ecs_ossl.c crypto/ecdsa/ecs_ossl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ecdsa/ecs_sign.c crypto/ecdsa/ecs_sign.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ecdsa/ecs_vrf.c crypto/ecdsa/ecs_vrf.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ecdsa/ecs_err.c crypto/ecdsa/ecs_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/buffer/buffer.c crypto/buffer/buffer.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/buffer/buf_str.c crypto/buffer/buf_str.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/buffer/buf_err.c crypto/buffer/buf_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/bio_lib.c crypto/bio/bio_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/bio_cb.c crypto/bio/bio_cb.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/bio_err.c crypto/bio/bio_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/bss_mem.c crypto/bio/bss_mem.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/bss_null.c crypto/bio/bss_null.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/bss_fd.c crypto/bio/bss_fd.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/bss_file.c crypto/bio/bss_file.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/bf_null.c crypto/bio/bf_null.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/bf_buff.c crypto/bio/bf_buff.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/b_dump.c crypto/bio/b_dump.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/bf_nbio.c crypto/bio/bf_nbio.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/bss_log.c crypto/bio/bss_log.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/bss_bio.c crypto/bio/bss_bio.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/bio/bss_dgram.c crypto/bio/bss_dgram.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/stack/stack.c crypto/stack/stack.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/lhash/lhash.c crypto/lhash/lhash.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/lhash/lh_stats.c crypto/lhash/lh_stats.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rand/md_rand.c crypto/rand/md_rand.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rand/randfile.c crypto/rand/randfile.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rand/rand_lib.c crypto/rand/rand_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rand/rand_eng.c crypto/rand/rand_eng.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rand/rand_err.c crypto/rand/rand_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rand/rand_egd.c crypto/rand/rand_egd.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rand/rand_win.c crypto/rand/rand_win.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rand/rand_unix.c crypto/rand/rand_unix.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rand/rand_os2.c crypto/rand/rand_os2.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/rand/rand_nw.c crypto/rand/rand_nw.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/err/err.c crypto/err/err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/err/err_def.c crypto/err/err_def.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/err/err_all.c crypto/err/err_all.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/err/err_prn.c crypto/err/err_prn.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/err/err_str.c crypto/err/err_str.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/err/err_bio.c crypto/err/err_bio.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/objects/o_names.c crypto/objects/o_names.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/objects/obj_dat.c crypto/objects/obj_dat.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/objects/obj_lib.c crypto/objects/obj_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/objects/obj_err.c crypto/objects/obj_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/encode.c crypto/evp/encode.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/digest.c crypto/evp/digest.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/dig_eng.c crypto/evp/dig_eng.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/evp_enc.c crypto/evp/evp_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/evp_key.c crypto/evp/evp_key.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/evp_acnf.c crypto/evp/evp_acnf.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/evp_cnf.c crypto/evp/evp_cnf.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/e_des.c crypto/evp/e_des.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/e_bf.c crypto/evp/e_bf.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/e_idea.c crypto/evp/e_idea.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/e_des3.c crypto/evp/e_des3.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/e_rc4.c crypto/evp/e_rc4.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/e_aes.c crypto/evp/e_aes.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/names.c crypto/evp/names.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/e_xcbc_d.c crypto/evp/e_xcbc_d.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/e_rc2.c crypto/evp/e_rc2.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/e_cast.c crypto/evp/e_cast.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/e_rc5.c crypto/evp/e_rc5.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/enc_min.c crypto/evp/enc_min.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/m_null.c crypto/evp/m_null.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/m_md2.c crypto/evp/m_md2.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/m_md4.c crypto/evp/m_md4.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/m_md5.c crypto/evp/m_md5.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/m_sha.c crypto/evp/m_sha.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/m_sha1.c crypto/evp/m_sha1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/m_dss.c crypto/evp/m_dss.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/m_dss1.c crypto/evp/m_dss1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/m_ripemd.c crypto/evp/m_ripemd.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/m_ecdsa.c crypto/evp/m_ecdsa.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/p_open.c crypto/evp/p_open.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/p_seal.c crypto/evp/p_seal.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/p_sign.c crypto/evp/p_sign.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/p_verify.c crypto/evp/p_verify.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/p_lib.c crypto/evp/p_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/p_enc.c crypto/evp/p_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/p_dec.c crypto/evp/p_dec.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/bio_md.c crypto/evp/bio_md.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/bio_b64.c crypto/evp/bio_b64.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/bio_enc.c crypto/evp/bio_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/evp_err.c crypto/evp/evp_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/e_null.c crypto/evp/e_null.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/c_all.c crypto/evp/c_all.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/c_allc.c crypto/evp/c_allc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/c_alld.c crypto/evp/c_alld.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/evp_lib.c crypto/evp/evp_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/bio_ok.c crypto/evp/bio_ok.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/evp_pkey.c crypto/evp/evp_pkey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/evp_pbe.c crypto/evp/evp_pbe.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/p5_crpt.c crypto/evp/p5_crpt.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/p5_crpt2.c crypto/evp/p5_crpt2.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/evp/e_old.c crypto/evp/e_old.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_object.c crypto/asn1/a_object.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_bitstr.c crypto/asn1/a_bitstr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_utctm.c crypto/asn1/a_utctm.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_gentm.c crypto/asn1/a_gentm.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_time.c crypto/asn1/a_time.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_int.c crypto/asn1/a_int.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_octet.c crypto/asn1/a_octet.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_print.c crypto/asn1/a_print.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_type.c crypto/asn1/a_type.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_set.c crypto/asn1/a_set.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_dup.c crypto/asn1/a_dup.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_d2i_fp.c crypto/asn1/a_d2i_fp.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_i2d_fp.c crypto/asn1/a_i2d_fp.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_enum.c crypto/asn1/a_enum.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_utf8.c crypto/asn1/a_utf8.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_sign.c crypto/asn1/a_sign.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_digest.c crypto/asn1/a_digest.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_verify.c crypto/asn1/a_verify.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_mbstr.c crypto/asn1/a_mbstr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_strex.c crypto/asn1/a_strex.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_algor.c crypto/asn1/x_algor.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_val.c crypto/asn1/x_val.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_pubkey.c crypto/asn1/x_pubkey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_sig.c crypto/asn1/x_sig.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_req.c crypto/asn1/x_req.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_attrib.c crypto/asn1/x_attrib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_bignum.c crypto/asn1/x_bignum.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_long.c crypto/asn1/x_long.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_name.c crypto/asn1/x_name.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_x509.c crypto/asn1/x_x509.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_x509a.c crypto/asn1/x_x509a.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_crl.c crypto/asn1/x_crl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_info.c crypto/asn1/x_info.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_spki.c crypto/asn1/x_spki.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/nsseq.c crypto/asn1/nsseq.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/d2i_pu.c crypto/asn1/d2i_pu.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/d2i_pr.c crypto/asn1/d2i_pr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/i2d_pu.c crypto/asn1/i2d_pu.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/i2d_pr.c crypto/asn1/i2d_pr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/t_req.c crypto/asn1/t_req.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/t_x509.c crypto/asn1/t_x509.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/t_x509a.c crypto/asn1/t_x509a.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/t_crl.c crypto/asn1/t_crl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/t_pkey.c crypto/asn1/t_pkey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/t_spki.c crypto/asn1/t_spki.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/t_bitst.c crypto/asn1/t_bitst.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/tasn_new.c crypto/asn1/tasn_new.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/tasn_fre.c crypto/asn1/tasn_fre.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/tasn_enc.c crypto/asn1/tasn_enc.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/tasn_dec.c crypto/asn1/tasn_dec.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/tasn_utl.c crypto/asn1/tasn_utl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/tasn_typ.c crypto/asn1/tasn_typ.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/f_int.c crypto/asn1/f_int.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/f_string.c crypto/asn1/f_string.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/n_pkey.c crypto/asn1/n_pkey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/f_enum.c crypto/asn1/f_enum.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_hdr.c crypto/asn1/a_hdr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_pkey.c crypto/asn1/x_pkey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_bool.c crypto/asn1/a_bool.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/x_exten.c crypto/asn1/x_exten.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/asn_mime.c crypto/asn1/asn_mime.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/asn1_gen.c crypto/asn1/asn1_gen.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/asn1_par.c crypto/asn1/asn1_par.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/asn1_lib.c crypto/asn1/asn1_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/asn1_err.c crypto/asn1/asn1_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_meth.c crypto/asn1/a_meth.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_bytes.c crypto/asn1/a_bytes.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/a_strnid.c crypto/asn1/a_strnid.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/evp_asn1.c crypto/asn1/evp_asn1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/asn_pack.c crypto/asn1/asn_pack.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/p5_pbe.c crypto/asn1/p5_pbe.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/p5_pbev2.c crypto/asn1/p5_pbev2.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/p8_pkey.c crypto/asn1/p8_pkey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/asn1/asn_moid.c crypto/asn1/asn_moid.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pem/pem_sign.c crypto/pem/pem_sign.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pem/pem_seal.c crypto/pem/pem_seal.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pem/pem_info.c crypto/pem/pem_info.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pem/pem_lib.c crypto/pem/pem_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pem/pem_all.c crypto/pem/pem_all.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pem/pem_err.c crypto/pem/pem_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pem/pem_x509.c crypto/pem/pem_x509.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pem/pem_xaux.c crypto/pem/pem_xaux.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pem/pem_oth.c crypto/pem/pem_oth.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pem/pem_pk8.c crypto/pem/pem_pk8.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pem/pem_pkey.c crypto/pem/pem_pkey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_def.c crypto/x509/x509_def.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_d2.c crypto/x509/x509_d2.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_r2x.c crypto/x509/x509_r2x.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_cmp.c crypto/x509/x509_cmp.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_obj.c crypto/x509/x509_obj.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_req.c crypto/x509/x509_req.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509spki.c crypto/x509/x509spki.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_set.c crypto/x509/x509_set.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509cset.c crypto/x509/x509cset.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509rset.c crypto/x509/x509rset.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_err.c crypto/x509/x509_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509name.c crypto/x509/x509name.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_v3.c crypto/x509/x509_v3.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_ext.c crypto/x509/x509_ext.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_att.c crypto/x509/x509_att.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509type.c crypto/x509/x509type.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_lu.c crypto/x509/x509_lu.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x_all.c crypto/x509/x_all.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_txt.c crypto/x509/x509_txt.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_trs.c crypto/x509/x509_trs.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/by_file.c crypto/x509/by_file.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/by_dir.c crypto/x509/by_dir.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509/x509_vpm.c crypto/x509/x509_vpm.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_bcons.c crypto/x509v3/v3_bcons.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_bitst.c crypto/x509v3/v3_bitst.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_conf.c crypto/x509v3/v3_conf.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_extku.c crypto/x509v3/v3_extku.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_ia5.c crypto/x509v3/v3_ia5.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_lib.c crypto/x509v3/v3_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_prn.c crypto/x509v3/v3_prn.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_utl.c crypto/x509v3/v3_utl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3err.c crypto/x509v3/v3err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_genn.c crypto/x509v3/v3_genn.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_alt.c crypto/x509v3/v3_alt.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_skey.c crypto/x509v3/v3_skey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_akey.c crypto/x509v3/v3_akey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_pku.c crypto/x509v3/v3_pku.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_int.c crypto/x509v3/v3_int.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_enum.c crypto/x509v3/v3_enum.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_sxnet.c crypto/x509v3/v3_sxnet.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_cpols.c crypto/x509v3/v3_cpols.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_crld.c crypto/x509v3/v3_crld.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_purp.c crypto/x509v3/v3_purp.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_info.c crypto/x509v3/v3_info.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_ocsp.c crypto/x509v3/v3_ocsp.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_akeya.c crypto/x509v3/v3_akeya.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_pmaps.c crypto/x509v3/v3_pmaps.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_pcons.c crypto/x509v3/v3_pcons.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_ncons.c crypto/x509v3/v3_ncons.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_pcia.c crypto/x509v3/v3_pcia.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_pci.c crypto/x509v3/v3_pci.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/pcy_cache.c crypto/x509v3/pcy_cache.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/pcy_node.c crypto/x509v3/pcy_node.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/pcy_data.c crypto/x509v3/pcy_data.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/pcy_map.c crypto/x509v3/pcy_map.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/pcy_tree.c crypto/x509v3/pcy_tree.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/pcy_lib.c crypto/x509v3/pcy_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_asid.c crypto/x509v3/v3_asid.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/x509v3/v3_addr.c crypto/x509v3/v3_addr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/conf/conf_err.c crypto/conf/conf_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/conf/conf_lib.c crypto/conf/conf_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/conf/conf_api.c crypto/conf/conf_api.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/conf/conf_def.c crypto/conf/conf_def.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/conf/conf_mod.c crypto/conf/conf_mod.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/conf/conf_mall.c crypto/conf/conf_mall.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/conf/conf_sap.c crypto/conf/conf_sap.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/txt_db/txt_db.c crypto/txt_db/txt_db.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs7/pk7_asn1.c crypto/pkcs7/pk7_asn1.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs7/pk7_lib.c crypto/pkcs7/pk7_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs7/pkcs7err.c crypto/pkcs7/pkcs7err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs7/pk7_doit.c crypto/pkcs7/pk7_doit.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs7/pk7_smime.c crypto/pkcs7/pk7_smime.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs7/pk7_attr.c crypto/pkcs7/pk7_attr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs7/pk7_mime.c crypto/pkcs7/pk7_mime.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_add.c crypto/pkcs12/p12_add.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_asn.c crypto/pkcs12/p12_asn.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_attr.c crypto/pkcs12/p12_attr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_crpt.c crypto/pkcs12/p12_crpt.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_crt.c crypto/pkcs12/p12_crt.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_decr.c crypto/pkcs12/p12_decr.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_init.c crypto/pkcs12/p12_init.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_key.c crypto/pkcs12/p12_key.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_kiss.c crypto/pkcs12/p12_kiss.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_mutl.c crypto/pkcs12/p12_mutl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_utl.c crypto/pkcs12/p12_utl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_npas.c crypto/pkcs12/p12_npas.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/pk12err.c crypto/pkcs12/pk12err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_p8d.c crypto/pkcs12/p12_p8d.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pkcs12/p12_p8e.c crypto/pkcs12/p12_p8e.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/comp/comp_lib.c crypto/comp/comp_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/comp/comp_err.c crypto/comp/comp_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/comp/c_rle.c crypto/comp/c_rle.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/comp/c_zlib.c crypto/comp/c_zlib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_err.c crypto/engine/eng_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_lib.c crypto/engine/eng_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_list.c crypto/engine/eng_list.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_init.c crypto/engine/eng_init.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_ctrl.c crypto/engine/eng_ctrl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_table.c crypto/engine/eng_table.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_pkey.c crypto/engine/eng_pkey.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_fat.c crypto/engine/eng_fat.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_all.c crypto/engine/eng_all.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/tb_rsa.c crypto/engine/tb_rsa.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/tb_dsa.c crypto/engine/tb_dsa.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/tb_ecdsa.c crypto/engine/tb_ecdsa.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/tb_dh.c crypto/engine/tb_dh.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/tb_ecdh.c crypto/engine/tb_ecdh.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/tb_rand.c crypto/engine/tb_rand.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/tb_store.c crypto/engine/tb_store.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/tb_cipher.c crypto/engine/tb_cipher.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/tb_digest.c crypto/engine/tb_digest.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_openssl.c crypto/engine/eng_openssl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_cnf.c crypto/engine/eng_cnf.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_dyn.c crypto/engine/eng_dyn.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_cryptodev.c crypto/engine/eng_cryptodev.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/engine/eng_padlock.c crypto/engine/eng_padlock.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ocsp/ocsp_asn.c crypto/ocsp/ocsp_asn.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ocsp/ocsp_ext.c crypto/ocsp/ocsp_ext.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ocsp/ocsp_ht.c crypto/ocsp/ocsp_ht.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ocsp/ocsp_lib.c crypto/ocsp/ocsp_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ocsp/ocsp_cl.c crypto/ocsp/ocsp_cl.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ocsp/ocsp_srv.c crypto/ocsp/ocsp_srv.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ocsp/ocsp_prn.c crypto/ocsp/ocsp_prn.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ocsp/ocsp_vfy.c crypto/ocsp/ocsp_vfy.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ocsp/ocsp_err.c crypto/ocsp/ocsp_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ui/ui_err.c crypto/ui/ui_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ui/ui_lib.c crypto/ui/ui_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ui/ui_util.c crypto/ui/ui_util.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/ui/ui_compat.c crypto/ui/ui_compat.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/krb5/krb5_asn.c crypto/krb5/krb5_asn.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/store/str_err.c crypto/store/str_err.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/store/str_lib.c crypto/store/str_lib.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/store/str_meth.c crypto/store/str_meth.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/store/str_mem.c crypto/store/str_mem.c +install -D $DIR/CryptoPkg/Library/OpensslLib/openssl-$version/crypto/pqueue/pqueue.c crypto/pqueue/pqueue.c + +find . -name "*.[ch]" -exec chmod -x {} \; diff --git a/Cryptlib/Pk/CryptAuthenticode.c b/Cryptlib/Pk/CryptAuthenticode.c index bb5f6d4..7b8bca5 100644 --- a/Cryptlib/Pk/CryptAuthenticode.c +++ b/Cryptlib/Pk/CryptAuthenticode.c @@ -146,8 +146,8 @@ AuthenticodeVerify ( // // Long Form of Length Encoding, only support two bytes. // - ContentSize = (UINTN) (*(SpcIndirectDataContent + 2)); - ContentSize = (ContentSize << 8) + (UINTN)(*(SpcIndirectDataContent + 3)); + ContentSize = (UINTN) (*(UINT8 *)(SpcIndirectDataContent + 2)); + ContentSize = (ContentSize << 8) + (UINTN)(*(UINT8 *)(SpcIndirectDataContent + 3)); // // Skip the SEQUENCE Tag; // From 64508097209970e0df28ed77446a9a816149052a Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 27 Aug 2014 11:49:39 -0400 Subject: [PATCH 139/163] Fix typo from Ard's old tree 32-bit ARM patch. We don't need to .data entries; the second one should be .data*. He's since fixed this in his tree, but I'd already pulled it and pushed to master. Signed-off-by: Peter Jones --- elf_arm_efi.lds | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/elf_arm_efi.lds b/elf_arm_efi.lds index fd1075d..c5dc298 100644 --- a/elf_arm_efi.lds +++ b/elf_arm_efi.lds @@ -19,7 +19,7 @@ SECTIONS *(.sdata) *(.data) *(.data1) - *(.data) + *(.data*) *(.got.plt) *(.got) From 4ca60879150d3290b616044b5556116586983cdd Mon Sep 17 00:00:00 2001 From: Ard Biesheuvel Date: Wed, 27 Aug 2014 11:49:39 -0400 Subject: [PATCH 140/163] Handle empty .reloc section in PE/COFF loader On archs where no EFI aware objcopy is available, the generated PE/COFF header contains a .reloc section which is completely empty. Handle this by - returning early from relocate_coff() with EFI_SUCCESS, - ignoring discardable sections in the section loader. Signed-off-by: Ard Biesheuvel --- shim.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/shim.c b/shim.c index ea8eba8..1329212 100644 --- a/shim.c +++ b/shim.c @@ -145,6 +145,9 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, return EFI_UNSUPPORTED; } + if (!context->RelocDir->Size) + return EFI_SUCCESS; + RelocBase = ImageAddress(data, size, context->RelocDir->VirtualAddress); RelocBaseEnd = ImageAddress(data, size, context->RelocDir->VirtualAddress + context->RelocDir->Size - 1); @@ -996,7 +999,11 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, * Copy the executable's sections to their desired offsets */ Section = context.FirstSection; - for (i = 0; i < context.NumberOfSections; i++) { + for (i = 0; i < context.NumberOfSections; i++, Section++) { + if (Section->Characteristics & 0x02000000) + /* section has EFI_IMAGE_SCN_MEM_DISCARDABLE attr set */ + continue; + size = Section->Misc.VirtualSize; if (size > Section->SizeOfRawData) @@ -1021,8 +1028,6 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, if (size < Section->Misc.VirtualSize) ZeroMem (base + size, Section->Misc.VirtualSize - size); - - Section += 1; } /* From 1042fd7c725ebde7d7064c23523a61605617a7ae Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 27 Aug 2014 16:40:57 -0400 Subject: [PATCH 141/163] Don't name something exit(). On aarch64 due to some terrifying include chain we wind up with Cryptlib's definition of exit here. I'm not a glutton for punishment, so I'm just changing the name so it's not coliding. Signed-off-by: Peter Jones --- replacements.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/replacements.c b/replacements.c index 5dfa355..f7623d9 100644 --- a/replacements.c +++ b/replacements.c @@ -162,7 +162,7 @@ exit_boot_services(EFI_HANDLE image_key, UINTN map_key) } static EFI_STATUS EFIAPI -exit(EFI_HANDLE ImageHandle, EFI_STATUS ExitStatus, +do_exit(EFI_HANDLE ImageHandle, EFI_STATUS ExitStatus, UINTN ExitDataSize, CHAR16 *ExitData) { EFI_STATUS status; @@ -206,5 +206,5 @@ hook_system_services(EFI_SYSTEM_TABLE *local_systab) * bootloader and still e.g. start a new one or run an internal * shell. */ system_exit = systab->BootServices->Exit; - systab->BootServices->Exit = exit; + systab->BootServices->Exit = do_exit; } From 00c84188667546b3f7181487691f183e8fd58540 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 27 Aug 2014 16:40:57 -0400 Subject: [PATCH 142/163] Make sure we don't try to load a binary from a different arch. Since in theory you could, for example, get an x86_64 binary signed that also behaves as an ARM executable, we should be checking this before people build on other architectures. Signed-off-by: Peter Jones --- include/PeImage.h | 1 + shim.c | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/include/PeImage.h b/include/PeImage.h index ec13404..133e11e 100644 --- a/include/PeImage.h +++ b/include/PeImage.h @@ -49,6 +49,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #define IMAGE_FILE_MACHINE_EBC 0x0EBC #define IMAGE_FILE_MACHINE_X64 0x8664 #define IMAGE_FILE_MACHINE_ARMTHUMB_MIXED 0x01c2 +#define IMAGE_FILE_MACHINE_ARM64 0xaa64 // // EXE file formats diff --git a/shim.c b/shim.c index 1329212..1ec1e11 100644 --- a/shim.c +++ b/shim.c @@ -947,6 +947,20 @@ static EFI_STATUS read_header(void *data, unsigned int datasize, return EFI_SUCCESS; } +static const UINT16 machine_type = +#if defined(__x86_64__) + IMAGE_FILE_MACHINE_X64; +#elif defined(__aarch64__) + IMAGE_FILE_MACHINE_ARM64; +#elif defined(__arm__) + IMAGE_FILE_MACHINE_ARMTHUMB_MIXED; +#elif defined(__i386__) || defined(__i486__) || defined(__i686__) + IMAGE_FILE_MACHINE_I386; +#elif defined(__ia64__) + IMAGE_FILE_MACHINE_IA64; +#else +#error this architecture is not supported by shim +#endif /* * Once the image has been loaded it needs to be validated and relocated @@ -971,6 +985,11 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, return efi_status; } + if (context.PEHdr->Pe32.FileHeader.Machine != machine_type) { + perror(L"Image is for a different architecture\n"); + return EFI_UNSUPPORTED; + } + /* * We only need to verify the binary if we're in secure mode */ From 486bf03e54e0db164e3150dfa7f607811bdaefec Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Fri, 19 Sep 2014 09:30:26 -0400 Subject: [PATCH 143/163] Actually refer to the base relocation table of our loaded image. Currently when we process base relocations, we get the correct Data Directory pointer from the headers (context->RelocDir), and that header has been copied into our pristine allocated image when we copied up to SizeOfHeaders. But the data it points to has not been mirrored in to the new image, so it is whatever data AllocPool() gave us. This patch changes relocate_coff() to refer to the base relocation table from the image we loaded from disk, but apply the fixups to the new copy. I have no idea how x86_64 worked without this, but I can't make aarch64 work without it. I also don't know how Ard or Leif have seen aarch64 work. Maybe they haven't? Leif indicated on irc that they may have only tested shim with simple "hello world" applications from gnu-efi; they are certainly much less complex than grub.efi, and are generated through a different linking process. My only theory is that we're getting recycled data there pretty reliably that just makes us /not/ process any relocations, but since our ImageBase is 0, and I don't think we ever load grub with 0 as its base virtual address, that doesn't follow. I'm open to any other ideas anybody has. I do know that on x86_64 (and presumably aarch64 as well), we don't actually start seeing *symptoms* of this bug until the first chunk[0] of 94c9a77f is applied[1]. Once that is applied, relocate_coff() starts seeing zero[2] for both RelocBase->VirtualAddress and RelocBase->SizeOfBlock, because RelocBase is a (generated, relative) pointer that only makes sense in the context of the original binary, not our partial copy. Since RelocBase->SizeOfBlock is tested first, relocate_base() gives us "Reloc block size is invalid"[3] and returns EFI_UNSUPPORTED. At that point shim exits with an error. [0] The second chunk of 94c9a77f patch makes no difference on this issue. [1] I don't see why at all. [2] Which could really be any value since it's AllocatePool() and not AllocateZeroPool() results, but 0 is all I've observed; I think AllocatePool() has simply never recycled any memory in my test cases. [3] which is silent because perror() tries to avoid talking because that has caused much crashing in the past; work needs to go in to 0.9 for this. Signed-off-by: Peter Jones --- shim.c | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/shim.c b/shim.c index 1ec1e11..4b4d31a 100644 --- a/shim.c +++ b/shim.c @@ -122,7 +122,7 @@ static void *ImageAddress (void *image, unsigned int size, unsigned int address) * Perform the actual relocation */ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, - void *data) + void *orig, void *data) { EFI_IMAGE_BASE_RELOCATION *RelocBase, *RelocBaseEnd; UINT64 Adjust; @@ -132,7 +132,7 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, UINT32 *Fixup32; UINT64 *Fixup64; int size = context->ImageSize; - void *ImageEnd = (char *)data + size; + void *ImageEnd = (char *)orig + size; #if __LP64__ context->PEHdr->Pe32Plus.OptionalHeader.ImageBase = (UINT64)data; @@ -140,16 +140,8 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, context->PEHdr->Pe32.OptionalHeader.ImageBase = (UINT32)data; #endif - if (context->NumberOfRvaAndSizes <= EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC) { - perror(L"Image has no relocation entry\n"); - return EFI_UNSUPPORTED; - } - - if (!context->RelocDir->Size) - return EFI_SUCCESS; - - RelocBase = ImageAddress(data, size, context->RelocDir->VirtualAddress); - RelocBaseEnd = ImageAddress(data, size, context->RelocDir->VirtualAddress + context->RelocDir->Size - 1); + RelocBase = ImageAddress(orig, size, context->RelocDir->VirtualAddress); + RelocBaseEnd = ImageAddress(orig, size, context->RelocDir->VirtualAddress + context->RelocDir->Size - 1); if (!RelocBase || !RelocBaseEnd) { perror(L"Reloc table overflows binary\n"); @@ -170,7 +162,7 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, } RelocEnd = (UINT16 *) ((char *) RelocBase + RelocBase->SizeOfBlock); - if ((void *)RelocEnd < data || (void *)RelocEnd > ImageEnd) { + if ((void *)RelocEnd < orig || (void *)RelocEnd > ImageEnd) { perror(L"Reloc entry overflows binary\n"); return EFI_UNSUPPORTED; } @@ -1049,15 +1041,23 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, ZeroMem (base + size, Section->Misc.VirtualSize - size); } - /* - * Run the relocation fixups - */ - efi_status = relocate_coff(&context, buffer); - - if (efi_status != EFI_SUCCESS) { - perror(L"Relocation failed: %r\n", efi_status); + if (context.NumberOfRvaAndSizes <= EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC) { + perror(L"Image has no relocation entry\n"); FreePool(buffer); - return efi_status; + return EFI_UNSUPPORTED; + } + + if (context.RelocDir->Size) { + /* + * Run the relocation fixups + */ + efi_status = relocate_coff(&context, data, buffer); + + if (efi_status != EFI_SUCCESS) { + perror(L"Relocation failed: %r\n", efi_status); + FreePool(buffer); + return efi_status; + } } entry_point = ImageAddress(buffer, context.ImageSize, context.EntryPoint); From afec82ac7e9ef1c048e08d02f2bbdbd5d5be56a9 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Sun, 21 Sep 2014 13:12:03 -0400 Subject: [PATCH 144/163] Make 64-on-32 maybe work on x86_64. This is mostly based on a patch (https://github.com/mjg59/shim/issues/30) from https://github.com/TBOpen , which refactors our __LP64__ tests to be tests of the header magic instead. I've simplified things by using what we've pre-loaded into "context" and making some helper functions so the conditionals in most of the code say what they do, instead of how they work. Note that we're only allowing that from in_protocol's loader - that is, we'll let 64-bit grub load a 32-bit kernel or 32-bit grub load a 64-bit kernel, but 32-bit shim isn't loading a 64-bit grub. Signed-off-by: Peter Jones --- shim.c | 220 ++++++++++++++++++++++++++++++++++++++------------------- 1 file changed, 148 insertions(+), 72 deletions(-) diff --git a/shim.c b/shim.c index 4b4d31a..c1b5c17 100644 --- a/shim.c +++ b/shim.c @@ -118,6 +118,106 @@ static void *ImageAddress (void *image, unsigned int size, unsigned int address) return image + address; } +/* here's a chart: + * i686 x86_64 aarch64 + * 64-on-64: nyet yes yes + * 64-on-32: nyet yes nyet + * 32-on-32: yes yes no + */ +static int +allow_64_bit(void) +{ +#if defined(__x86_64__) || defined(__aarch64__) + return 1; +#elif defined(__i386__) || defined(__i686__) + /* Right now blindly assuming the kernel will correctly detect this + * and /halt the system/ if you're not really on a 64-bit cpu */ + if (in_protocol) + return 1; + return 0; +#else /* assuming everything else is 32-bit... */ + return 0; +#endif +} + +static int +allow_32_bit(void) +{ +#if defined(__x86_64__) +#if defined(ALLOW_32BIT_KERNEL_ON_X64) + if (in_protocol) + return 1; + return 0; +#else + return 0; +#endif +#elif defined(__i386__) || defined(__i686__) + return 1; +#elif defined(__arch64__) + return 0; +#else /* assuming everything else is 32-bit... */ + return 1; +#endif +} + +static int +image_is_64_bit(EFI_IMAGE_OPTIONAL_HEADER_UNION *PEHdr) +{ + /* .Magic is the same offset in all cases */ + if (PEHdr->Pe32Plus.OptionalHeader.Magic + == EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC) + return 1; + return 0; +} + +static const UINT16 machine_type = +#if defined(__x86_64__) + IMAGE_FILE_MACHINE_X64; +#elif defined(__aarch64__) + IMAGE_FILE_MACHINE_ARM64; +#elif defined(__arm__) + IMAGE_FILE_MACHINE_ARMTHUMB_MIXED; +#elif defined(__i386__) || defined(__i486__) || defined(__i686__) + IMAGE_FILE_MACHINE_I386; +#elif defined(__ia64__) + IMAGE_FILE_MACHINE_IA64; +#else +#error this architecture is not supported by shim +#endif + +static int +image_is_loadable(EFI_IMAGE_OPTIONAL_HEADER_UNION *PEHdr) +{ + /* If the machine type doesn't match the binary, bail, unless + * we're in an allowed 64-on-32 scenario */ + if (PEHdr->Pe32.FileHeader.Machine != machine_type) { + if (!(machine_type == IMAGE_FILE_MACHINE_I386 && + PEHdr->Pe32.FileHeader.Machine == IMAGE_FILE_MACHINE_X64 && + allow_64_bit())) { + return 0; + } + } + + /* If it's not a header type we recognize at all, bail */ + switch (PEHdr->Pe32Plus.OptionalHeader.Magic) { + case EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC: + case EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC: + break; + default: + return 0; + } + + /* and now just check for general 64-vs-32 compatibility */ + if (image_is_64_bit(PEHdr)) { + if (allow_64_bit()) + return 1; + } else { + if (allow_32_bit()) + return 1; + } + return 0; +} + /* * Perform the actual relocation */ @@ -134,11 +234,10 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, int size = context->ImageSize; void *ImageEnd = (char *)orig + size; -#if __LP64__ - context->PEHdr->Pe32Plus.OptionalHeader.ImageBase = (UINT64)data; -#else - context->PEHdr->Pe32.OptionalHeader.ImageBase = (UINT32)data; -#endif + if (image_is_64_bit(context->PEHdr)) + context->PEHdr->Pe32Plus.OptionalHeader.ImageBase = (UINT64)(unsigned long)data; + else + context->PEHdr->Pe32.OptionalHeader.ImageBase = (UINT32)(unsigned long)data; RelocBase = ImageAddress(orig, size, context->RelocDir->VirtualAddress); RelocBaseEnd = ImageAddress(orig, size, context->RelocDir->VirtualAddress + context->RelocDir->Size - 1); @@ -157,7 +256,7 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, Reloc = (UINT16 *) ((char *) RelocBase + sizeof (EFI_IMAGE_BASE_RELOCATION)); if ((RelocBase->SizeOfBlock == 0) || (RelocBase->SizeOfBlock > context->RelocDir->Size)) { - perror(L"Reloc block size is invalid\n"); + perror(L"Reloc block size %d is invalid\n", RelocBase->SizeOfBlock); return EFI_UNSUPPORTED; } @@ -498,7 +597,7 @@ static BOOLEAN secure_mode (void) * Calculate the SHA1 and SHA256 hashes of a binary */ -static EFI_STATUS generate_hash (char *data, int datasize_in, +static EFI_STATUS generate_hash (char *data, unsigned int datasize_in, PE_COFF_LOADER_IMAGE_CONTEXT *context, UINT8 *sha256hash, UINT8 *sha1hash) @@ -572,15 +671,14 @@ static EFI_STATUS generate_hash (char *data, int datasize_in, } /* Hash end of certificate table to end of image header */ -#if __LP64__ - hashbase = (char *) &context->PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1]; - hashsize = context->PEHdr->Pe32Plus.OptionalHeader.SizeOfHeaders - - (int) ((char *) (&context->PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1]) - data); -#else - hashbase = (char *) &context->PEHdr->Pe32.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1]; - hashsize = context->PEHdr->Pe32.OptionalHeader.SizeOfHeaders - - (int) ((char *) (&context->PEHdr->Pe32.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1]) - data); -#endif + EFI_IMAGE_DATA_DIRECTORY *dd = context->SecDir + 1; + hashbase = (char *)dd; + hashsize = context->SizeOfHeaders - (unsigned long)((char *)dd - data); + if (hashsize > datasize_in) { + perror(L"Data Directory size %d is invalid\n", hashsize); + status = EFI_INVALID_PARAMETER; + goto done; + } if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || !(Sha1Update(sha1ctx, hashbase, hashsize))) { @@ -590,11 +688,7 @@ static EFI_STATUS generate_hash (char *data, int datasize_in, } /* Sort sections */ -#if __LP64__ - SumOfBytesHashed = context->PEHdr->Pe32Plus.OptionalHeader.SizeOfHeaders; -#else - SumOfBytesHashed = context->PEHdr->Pe32.OptionalHeader.SizeOfHeaders; -#endif + SumOfBytesHashed = context->SizeOfHeaders; /* Validate section locations and sizes */ for (index = 0, SumOfSectionBytes = 0; index < context->PEHdr->Pe32.FileHeader.NumberOfSections; index++) { @@ -682,14 +776,7 @@ static EFI_STATUS generate_hash (char *data, int datasize_in, /* Hash all remaining data */ if (datasize > SumOfBytesHashed) { hashbase = data + SumOfBytesHashed; - hashsize = (unsigned int)( - datasize - -#if __LP64__ - context->PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY].Size - -#else - context->PEHdr->Pe32.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY].Size - -#endif - SumOfBytesHashed); + hashsize = datasize - context->SecDir->Size - SumOfBytesHashed; if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || !(Sha1Update(sha1ctx, hashbase, hashsize))) { @@ -843,24 +930,31 @@ static EFI_STATUS read_header(void *data, unsigned int datasize, EFI_IMAGE_OPTIONAL_HEADER_UNION *PEHdr = data; unsigned long HeaderWithoutDataDir, SectionHeaderOffset, OptHeaderSize; - if (datasize < sizeof(EFI_IMAGE_DOS_HEADER)) { + if (datasize < sizeof (PEHdr->Pe32)) { perror(L"Invalid image\n"); return EFI_UNSUPPORTED; } if (DosHdr->e_magic == EFI_IMAGE_DOS_SIGNATURE) PEHdr = (EFI_IMAGE_OPTIONAL_HEADER_UNION *)((char *)data + DosHdr->e_lfanew); -#if __LP64__ - context->NumberOfRvaAndSizes = PEHdr->Pe32Plus.OptionalHeader.NumberOfRvaAndSizes; - context->SizeOfHeaders = PEHdr->Pe32Plus.OptionalHeader.SizeOfHeaders; - context->ImageSize = PEHdr->Pe32Plus.OptionalHeader.SizeOfImage; - OptHeaderSize = sizeof(EFI_IMAGE_OPTIONAL_HEADER64); -#else - context->NumberOfRvaAndSizes = PEHdr->Pe32.OptionalHeader.NumberOfRvaAndSizes; - context->SizeOfHeaders = PEHdr->Pe32.OptionalHeader.SizeOfHeaders; - context->ImageSize = (UINT64)PEHdr->Pe32.OptionalHeader.SizeOfImage; - OptHeaderSize = sizeof(EFI_IMAGE_OPTIONAL_HEADER32); -#endif + + if (!image_is_loadable(PEHdr)) { + perror(L"Platform does not support this image\n"); + return EFI_UNSUPPORTED; + } + + if (image_is_64_bit(PEHdr)) { + context->NumberOfRvaAndSizes = PEHdr->Pe32Plus.OptionalHeader.NumberOfRvaAndSizes; + context->SizeOfHeaders = PEHdr->Pe32Plus.OptionalHeader.SizeOfHeaders; + context->ImageSize = PEHdr->Pe32Plus.OptionalHeader.SizeOfImage; + OptHeaderSize = sizeof(EFI_IMAGE_OPTIONAL_HEADER64); + } else { + context->NumberOfRvaAndSizes = PEHdr->Pe32.OptionalHeader.NumberOfRvaAndSizes; + context->SizeOfHeaders = PEHdr->Pe32.OptionalHeader.SizeOfHeaders; + context->ImageSize = (UINT64)PEHdr->Pe32.OptionalHeader.SizeOfImage; + OptHeaderSize = sizeof(EFI_IMAGE_OPTIONAL_HEADER32); + } + context->NumberOfSections = PEHdr->Pe32.FileHeader.NumberOfSections; if (EFI_IMAGE_NUMBER_OF_DIRECTORY_ENTRIES < context->NumberOfRvaAndSizes) { @@ -908,17 +1002,19 @@ static EFI_STATUS read_header(void *data, unsigned int datasize, } context->PEHdr = PEHdr; -#if __LP64__ - context->ImageAddress = PEHdr->Pe32Plus.OptionalHeader.ImageBase; - context->EntryPoint = PEHdr->Pe32Plus.OptionalHeader.AddressOfEntryPoint; - context->RelocDir = &PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC]; - context->SecDir = (EFI_IMAGE_DATA_DIRECTORY *) &PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]; -#else - context->ImageAddress = PEHdr->Pe32.OptionalHeader.ImageBase; - context->EntryPoint = PEHdr->Pe32.OptionalHeader.AddressOfEntryPoint; - context->RelocDir = &PEHdr->Pe32.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC]; - context->SecDir = (EFI_IMAGE_DATA_DIRECTORY *) &PEHdr->Pe32.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]; -#endif + + if (image_is_64_bit(PEHdr)) { + context->ImageAddress = PEHdr->Pe32Plus.OptionalHeader.ImageBase; + context->EntryPoint = PEHdr->Pe32Plus.OptionalHeader.AddressOfEntryPoint; + context->RelocDir = &PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC]; + context->SecDir = &PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]; + } else { + context->ImageAddress = PEHdr->Pe32.OptionalHeader.ImageBase; + context->EntryPoint = PEHdr->Pe32.OptionalHeader.AddressOfEntryPoint; + context->RelocDir = &PEHdr->Pe32.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC]; + context->SecDir = &PEHdr->Pe32.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]; + } + context->FirstSection = (EFI_IMAGE_SECTION_HEADER *)((char *)PEHdr + PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + sizeof(UINT32) + sizeof(EFI_IMAGE_FILE_HEADER)); if (context->ImageSize < context->SizeOfHeaders) { @@ -939,21 +1035,6 @@ static EFI_STATUS read_header(void *data, unsigned int datasize, return EFI_SUCCESS; } -static const UINT16 machine_type = -#if defined(__x86_64__) - IMAGE_FILE_MACHINE_X64; -#elif defined(__aarch64__) - IMAGE_FILE_MACHINE_ARM64; -#elif defined(__arm__) - IMAGE_FILE_MACHINE_ARMTHUMB_MIXED; -#elif defined(__i386__) || defined(__i486__) || defined(__i686__) - IMAGE_FILE_MACHINE_I386; -#elif defined(__ia64__) - IMAGE_FILE_MACHINE_IA64; -#else -#error this architecture is not supported by shim -#endif - /* * Once the image has been loaded it needs to be validated and relocated */ @@ -977,11 +1058,6 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, return efi_status; } - if (context.PEHdr->Pe32.FileHeader.Machine != machine_type) { - perror(L"Image is for a different architecture\n"); - return EFI_UNSUPPORTED; - } - /* * We only need to verify the binary if we're in secure mode */ From 0dcd5a8e90245e34c941eaf81342c560935a8082 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Sun, 21 Sep 2014 16:25:20 -0400 Subject: [PATCH 145/163] Validate computed hash bases/hash sizes more thoroughly. I screwed one of these up when working on 750584c, and it's a real pain to figure out, so that means we should be validating them. Signed-off-by: Peter Jones --- shim.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/shim.c b/shim.c index c1b5c17..cfa90d1 100644 --- a/shim.c +++ b/shim.c @@ -593,6 +593,22 @@ static BOOLEAN secure_mode (void) return TRUE; } +#define check_size_line(data, datasize_in, hashbase, hashsize, l) ({ \ + if ((unsigned long)hashbase > \ + (unsigned long)data + datasize_in) { \ + perror(L"shim.c:%d Invalid hash base 0x%016x\n", l, \ + hashbase); \ + goto done; \ + } \ + if ((unsigned long)hashbase + hashsize > \ + (unsigned long)data + datasize_in) { \ + perror(L"shim.c:%d Invalid hash size 0x%016x\n", l, \ + hashsize); \ + goto done; \ + } \ +}) +#define check_size(d,ds,h,hs) check_size_line(d,ds,h,hs,__LINE__) + /* * Calculate the SHA1 and SHA256 hashes of a binary */ @@ -650,6 +666,7 @@ static EFI_STATUS generate_hash (char *data, unsigned int datasize_in, hashbase = data; hashsize = (char *)&context->PEHdr->Pe32.OptionalHeader.CheckSum - hashbase; + check_size(data, datasize_in, hashbase, hashsize); if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || !(Sha1Update(sha1ctx, hashbase, hashsize))) { @@ -662,6 +679,7 @@ static EFI_STATUS generate_hash (char *data, unsigned int datasize_in, hashbase = (char *)&context->PEHdr->Pe32.OptionalHeader.CheckSum + sizeof (int); hashsize = (char *)context->SecDir - hashbase; + check_size(data, datasize_in, hashbase, hashsize); if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || !(Sha1Update(sha1ctx, hashbase, hashsize))) { @@ -679,6 +697,7 @@ static EFI_STATUS generate_hash (char *data, unsigned int datasize_in, status = EFI_INVALID_PARAMETER; goto done; } + check_size(data, datasize_in, hashbase, hashsize); if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || !(Sha1Update(sha1ctx, hashbase, hashsize))) { @@ -763,6 +782,7 @@ static EFI_STATUS generate_hash (char *data, unsigned int datasize_in, goto done; } hashsize = (unsigned int) Section->SizeOfRawData; + check_size(data, datasize_in, hashbase, hashsize); if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || !(Sha1Update(sha1ctx, hashbase, hashsize))) { @@ -777,6 +797,7 @@ static EFI_STATUS generate_hash (char *data, unsigned int datasize_in, if (datasize > SumOfBytesHashed) { hashbase = data + SumOfBytesHashed; hashsize = datasize - context->SecDir->Size - SumOfBytesHashed; + check_size(data, datasize_in, hashbase, hashsize); if (!(Sha256Update(sha256ctx, hashbase, hashsize)) || !(Sha1Update(sha1ctx, hashbase, hashsize))) { From 213e29e25b771fea7146c7db2203759bc8c75e5a Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Sun, 21 Sep 2014 16:25:27 -0400 Subject: [PATCH 146/163] Don't call AuthenticodeVerify if vendor_cert_size is 0. Actually check the size of our vendor cert quite early, so that there's no confusion as to what's going on. This isn't strictly necessary, in that in all cases if vendor_cert_size is 0, then AuthenticodeVerify -> Pkcs7Verify() -> d2i_X509() will result in a NULL "Cert", and it will return FALSE, and we'll reject the signature, but better to avoid all that code in the first place. Belt and suspenders and whatnot. Based on a patch from https://github.com/TBOpen . Signed-off-by: Peter Jones --- shim.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/shim.c b/shim.c index cfa90d1..caa05d8 100644 --- a/shim.c +++ b/shim.c @@ -923,14 +923,13 @@ static EFI_STATUS verify_buffer (char *data, int datasize, return status; } - /* * And finally, check against shim's built-in key */ - if (AuthenticodeVerify(cert->CertData, - context->SecDir->Size - sizeof(cert->Hdr), - vendor_cert, vendor_cert_size, sha256hash, - SHA256_DIGEST_SIZE)) { + if (vendor_cert_size && AuthenticodeVerify(cert->CertData, + context->SecDir->Size - sizeof(cert->Hdr), + vendor_cert, vendor_cert_size, sha256hash, + SHA256_DIGEST_SIZE)) { status = EFI_SUCCESS; return status; } From 631225fb3319c7011a840986a73bcc2afef5adc0 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Sun, 21 Sep 2014 16:25:27 -0400 Subject: [PATCH 147/163] Fix our "in_protocol" printing. When I merged 4bfb13d and fixed the conflicts, I managed to make the in_protocol test exactly backwards, so that's why we don't currently see error messages. Signed-off-by: Peter Jones --- shim.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shim.c b/shim.c index caa05d8..7cd4182 100644 --- a/shim.c +++ b/shim.c @@ -63,7 +63,7 @@ static UINT8 in_protocol; #define perror(fmt, ...) ({ \ UINTN __perror_ret = 0; \ - if (in_protocol) \ + if (!in_protocol) \ __perror_ret = Print((fmt), ##__VA_ARGS__); \ __perror_ret; \ }) From 2c59a1a03a3be3fcb916c2b1d761a7437ba965a4 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Sun, 21 Sep 2014 16:25:27 -0400 Subject: [PATCH 148/163] Generate a sane PE header on shim, fallback, and MokManager. It turns out a7249a65 was masking a second problem - on some binaries, when we actually don't have any base relocations at all, binutils' "objcopy --target efi-app-x86_64" is generating a PE header with a base relocations pointer that happily points into the middle of our text section. So with shim processing base relocations correctly, it refuses to load those binaries. For example, on one binary I just built: 00000130 00 a0 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 |................| which says there's a Base Relocation Table at 0xa000 that's 0xa bytes long. That's here: 0000a000 58 00 29 00 00 00 00 00 48 00 44 00 28 00 50 00 |X.).....H.D.(.P.| 0000a010 61 00 72 00 74 00 25 00 64 00 2c 00 53 00 69 00 |a.r.t.%.d.,.S.i.| 0000a020 67 00 25 00 67 00 29 00 00 00 00 00 00 00 00 00 |g.%.g.).........| 0000a030 48 00 44 00 28 00 50 00 61 00 72 00 74 00 25 00 |H.D.(.P.a.r.t.%.| So the table is: 0000a000 58 00 29 00 00 00 00 00 48 00 |X.).....H. | That wouldn't be so bad, except those binaries are MokManager.efi, fallback.efi, and shim.efi, and sometimes they're .reloc, which we're actually trying to handle correctly now because grub builds with a real and valid .reloc table. So though I didn't think there was any hair left on this yak, more shaving ensues. With this change, instead of letting objcopy do whatever it likes, we switch to "-O binary" and merely link in a header that's appropriate for our binaries. This is the same method Ard wrote for aarch64, and it seems to work fine in either place (modulo some minor changes.) At some point this should be merged into gnu-efi instead of carrying our own crt0-efi-x86_64.S, but that's a less immediate problem. I did not need this problem. Signed-off-by: Peter Jones --- Makefile | 24 ++++-- crt0-efi-x86_64.S | 177 +++++++++++++++++++++++++++++++++++++++++++++ elf_x86_64_efi.lds | 89 +++++++++++------------ 3 files changed, 238 insertions(+), 52 deletions(-) create mode 100644 crt0-efi-x86_64.S diff --git a/Makefile b/Makefile index 5bc513c..d5fd55b 100644 --- a/Makefile +++ b/Makefile @@ -15,7 +15,10 @@ EFI_PATH := /usr/lib64/gnuefi LIB_GCC = $(shell $(CC) -print-libgcc-file-name) EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC) -EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o +ifeq ($(ARCH),x86_64) +EFI_CRT_OBJS := crt0-efi-$(ARCH).o +endif +EFI_CRT_OBJS ?= $(EFI_PATH)/crt0-efi-$(ARCH).o EFI_LDS = elf_$(ARCH)_efi.lds DEFAULT_LOADER := \\\\grub.efi @@ -52,11 +55,11 @@ ifneq ($(origin VENDOR_DBX_FILE), undefined) CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\" endif -LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) +LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL VERSION = 0.7 -TARGET = shim.efi MokManager.efi.signed fallback.efi.signed +TARGET += shim.efi MokManager.efi.signed fallback.efi.signed OBJS = shim.o netboot.o cert.o replacements.o version.o KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h version.c version.h @@ -94,17 +97,17 @@ shim.o: $(SOURCES) shim_cert.h cert.o : cert.S $(CC) $(CFLAGS) -c -o $@ $< -shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a +shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a $(EFI_CRT_OBJS) $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) fallback.o: $(FALLBACK_SRCS) -fallback.so: $(FALLBACK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a +fallback.so: $(FALLBACK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a $(EFI_CRT_OBJS) $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) MokManager.o: $(MOK_SOURCES) -MokManager.so: $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a +MokManager.so: $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a $(EFI_CRT_OBJS) $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a Cryptlib/libcryptlib.a: @@ -128,8 +131,17 @@ SUBSYSTEM := 0xa LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) endif +ifeq ($(ARCH),x86_64) +FORMAT := -O binary +SUBSYSTEM := 0xa +LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) +endif + FORMAT ?= --target efi-app-$(ARCH) +crt0-efi-x86_64.o : crt0-efi-x86_64.S + $(CC) $(CFLAGS) -DEFI_SUBSYSTEM=$(SUBSYSTEM) -c -o $@ $< + %.efi: %.so $(OBJCOPY) -j .text -j .sdata -j .data \ -j .dynamic -j .dynsym -j .rel* \ diff --git a/crt0-efi-x86_64.S b/crt0-efi-x86_64.S new file mode 100644 index 0000000..f334a63 --- /dev/null +++ b/crt0-efi-x86_64.S @@ -0,0 +1,177 @@ +/* crt0-efi-x86_64.S - x86_64 EFI startup code. + * + * Copyright 2014 Red Hat, Inc. + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + .section .text.head + + /* + * Magic "MZ" signature for PE/COFF + */ + .globl ImageBase +ImageBase: + .ascii "MZ" + .skip 58 // 'MZ' + pad + offset == 64 + .long pe_header - ImageBase // Offset to the PE header. + .long 0x0eba1f0e /* terrifying code */ + .long 0xcd09b400 /* terrifying code */ + .long 0x4c01b821 /* terrifying code */ + .short 0x21cd /* terrfiying code */ + .ascii "The only winning move is not to play.\r\r\n$" /* DOS text */ + .skip 9 +pe_header: + .ascii "PE" + .short 0 +coff_header: + .short 0x8664 // x86_64 + .short 1 // nr_sections + .long 0 // TimeDateStamp + .long 0 // PointerToSymbolTable + .long 0 // NumberOfSymbols + .short section_table - optional_header // SizeOfOptionalHeader + .short 0x206 // Characteristics. + // IMAGE_FILE_DEBUG_STRIPPED | + // IMAGE_FILE_EXECUTABLE_IMAGE | + // IMAGE_FILE_LINE_NUMS_STRIPPED +optional_header: + .short 0x20b // PE32+ format + .byte 0x02 // MajorLinkerVersion + .byte 0x18 // MinorLinkerVersion + .long _edata - _start // SizeOfCode + .long 0 // SizeOfInitializedData + .long 0 // SizeOfUninitializedData + .long _start - ImageBase // AddressOfEntryPoint + .long _start - ImageBase // BaseOfCode + +extra_header_fields: + .quad 0 // ImageBase + .long 0x20 // SectionAlignment + .long 0x8 // FileAlignment + .short 0 // MajorOperatingSystemVersion + .short 0 // MinorOperatingSystemVersion + .short 0 // MajorImageVersion + .short 0 // MinorImageVersion + .short 0 // MajorSubsystemVersion + .short 0 // MinorSubsystemVersion + .long 0 // Win32VersionValue + + .long _edata - ImageBase // SizeOfImage + + // Everything before the kernel image is considered part of the header + .long _start - ImageBase // SizeOfHeaders + .long 0 // CheckSum + .short EFI_SUBSYSTEM // Subsystem + .short 0 // DllCharacteristics + .quad 0 // SizeOfStackReserve + .quad 0 // SizeOfStackCommit + .quad 0 // SizeOfHeapReserve + .quad 0 // SizeOfHeapCommit + .long 0 // LoaderFlags + .long 0x10 // NumberOfRvaAndSizes + + .quad 0 // ExportTable + .quad 0 // ImportTable + .quad 0 // ResourceTable + .quad 0 // ExceptionTable + .quad 0 // CertificationTable + .quad 0 // BaseRelocationTable + .quad 0 // DebugTable + .quad 0 // ArchTable + .quad 0 // GlobalPointerTable + .quad 0 // .tls + .quad 0 // LoadConfigTable + .quad 0 // BoundImportsTable + .quad 0 // ImportAddressTable + .quad 0 // DelayLoadImportTable + .quad 0 // ClrRuntimeHeader (.cor) + .quad 0 // Reserved + + // Section table +section_table: + .ascii ".text" + .byte 0 + .byte 0 + .byte 0 // end of 0 padding of section name + + .long _edata - _start // VirtualSize + .long _start - ImageBase // VirtualAddress + .long _edata - _start // SizeOfRawData + .long _start - ImageBase // PointerToRawData + .long 0 // PointerToRelocations (0 for executables) + .long 0 // PointerToLineNumbers (0 for executables) + .short 0 // NumberOfRelocations (0 for executables) + .short 0 // NumberOfLineNumbers (0 for executables) + .long 0x60500020 // Characteristics (section flags) + + /* + * The EFI application loader requires a relocation section + * because EFI applications must be relocatable. This is a + * dummy section as far as we are concerned. + */ + .ascii ".reloc" + .byte 0 + .byte 0 // end of 0 padding of section name + + .long 0 // VirtualSize + .long 0 // VirtualAddress + .long 0 // SizeOfRawData + .long 0 // PointerToRawData + .long 0 // PointerToRelocations + .long 0 // PointerToLineNumbers + .short 0 // NumberOfRelocations + .short 0 // NumberOfLineNumbers + .long 0x42100040 // Characteristics (section flags) + + /* x86-64 needs this padding here; without it, some machines simply + * refuse to admit this is an EFI binary. I'm not really sure why; + * reading the spec, it's unclear, but you'd expect it would need to + * be aligned to (1 << FileAlignment), which would mean not having + * the spacing. + */ + .quad 0 +_start: + subq $8, %rsp + pushq %rcx + pushq %rdx + +0: + lea ImageBase(%rip), %rdi + lea _DYNAMIC(%rip), %rsi + + popq %rcx + popq %rdx + pushq %rcx + pushq %rdx + call _relocate + + popq %rdi + popq %rsi + + call efi_main + addq $8, %rsp + +.exit: + ret diff --git a/elf_x86_64_efi.lds b/elf_x86_64_efi.lds index f981102..091187b 100644 --- a/elf_x86_64_efi.lds +++ b/elf_x86_64_efi.lds @@ -4,63 +4,60 @@ OUTPUT_ARCH(i386:x86-64) ENTRY(_start) SECTIONS { - . = 0; - ImageBase = .; - .hash : { *(.hash) } /* this MUST come first! */ - . = ALIGN(4096); - .eh_frame : - { - *(.eh_frame) + .text 0x0 : { + *(.text.head) + *(.text) + *(.text.*) + *(.gnu.linkonce.t.*) + *(.srodata) + *(.rodata*) + . = ALIGN(16); + _etext = .; } - . = ALIGN(4096); - .text : - { - *(.text) - } - . = ALIGN(4096); - .reloc : - { - *(.reloc) - } - . = ALIGN(4096); + .dynamic : { *(.dynamic) } .data : { - *(.rodata*) - *(.got.plt) - *(.got) - *(.data*) - *(.sdata) - /* the EFI loader doesn't seem to like a .bss section, so we stick - it all into .data: */ - *(.sbss) - *(.scommon) - *(.dynbss) - *(.bss) - *(COMMON) - *(.rel.local) + *(.sdata) + *(.data) + *(.data1) + *(.data.*) + *(.got.plt) + *(.got) + + /* the EFI loader doesn't seem to like a .bss section, so we stick + * it all into .data: */ + . = ALIGN(16); + _bss = .; + *(.sbss) + *(.scommon) + *(.dynbss) + *(.bss) + *(COMMON) + . = ALIGN(16); + _bss_end = .; } . = ALIGN(4096); .vendor_cert : { - *(.vendor_cert) + *(.vendor_cert) } + . = ALIGN(4096); - .dynamic : { *(.dynamic) } + .rela.dyn : { *(.rela.dyn) } + .rela.plt : { *(.rela.plt) } + .rela.got : { *(.rela.got) } + .rela.data : { *(.rela.data) *(.rela.data*) } + _edata = .; + _data_size = . - _etext; + . = ALIGN(4096); - .rela : + .dynsym : { *(.dynsym) } + . = ALIGN(4096); + .dynstr : { *(.dynstr) } + . = ALIGN(4096); + /DISCARD/ : { - *(.rela.data*) - *(.rela.got) - *(.rela.stab) - } - . = ALIGN(4096); - .dynsym : { *(.dynsym) } - . = ALIGN(4096); - .dynstr : { *(.dynstr) } - . = ALIGN(4096); - .ignored.reloc : - { - *(.rela.reloc) + *(.rel.reloc) *(.eh_frame) *(.note.GNU-stack) } From f9d825b242d54a4f22de3720781629873ea47736 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Sun, 21 Sep 2014 16:25:27 -0400 Subject: [PATCH 149/163] Do the same for ia32... Once again, on ia32 this time, we see: 00000120 47 84 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 |G...............| Which is where the pointer on ia32 for the Base Relocation Table should be. It points to 0x8447, which isn't a particularly reasonable address as numbers go, and happens to have this data there: 00008440 6f 00 6e 00 66 00 69 00 67 00 75 00 72 00 65 00 |o.n.f.i.g.u.r.e.| 00008450 00 00 49 00 50 00 76 00 36 00 28 00 00 00 2c 00 |..I.P.v.6.(...,.| 00008460 25 00 73 00 2c 00 00 00 29 00 00 00 25 00 64 00 |%.s.,...)...%.d.| 00008470 2e 00 25 00 64 00 2e 00 25 00 64 00 2e 00 25 00 |..%.d...%.d...%.| 00008480 64 00 00 00 44 00 48 00 43 00 50 00 00 00 49 00 |d...D.H.C.P...I.| 00008490 50 00 76 00 34 00 28 00 00 00 2c 00 25 00 73 00 |P.v.4.(...,.%.s.| And so that table is, in theory, this part: 00008447 00 67 00 75 00 72 00 65 00 | .g.u.r.e.| 00008450 00 |. | Which is pretty clearly not a pointer table of any kind. So give ia32 the same treatment as x86_64, and now all arches work basically the same. Signed-off-by: Peter Jones --- Makefile | 22 ++++-- crt0-efi-ia32.S | 180 +++++++++++++++++++++++++++++++++++++++++++++++ elf_ia32_efi.lds | 83 ++++++++++------------ 3 files changed, 236 insertions(+), 49 deletions(-) create mode 100644 crt0-efi-ia32.S diff --git a/Makefile b/Makefile index d5fd55b..a52984f 100644 --- a/Makefile +++ b/Makefile @@ -6,19 +6,25 @@ ARCH = $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,) SUBDIRS = Cryptlib lib -LIB_PATH = /usr/lib64 - EFI_INCLUDE := /usr/include/efi EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -Iinclude -EFI_PATH := /usr/lib64/gnuefi +ifeq ($(ARCH),ia32) +LIB_PATH := /usr/lib +EFI_PATH := /usr/lib/gnuefi +endif +LIB_PATH ?= /usr/lib64 +EFI_PATH ?= /usr/lib64/gnuefi LIB_GCC = $(shell $(CC) -print-libgcc-file-name) EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC) ifeq ($(ARCH),x86_64) EFI_CRT_OBJS := crt0-efi-$(ARCH).o -endif +else ifeq ($(ARCH),ia32) +EFI_CRT_OBJS := crt0-efi-$(ARCH).o +else EFI_CRT_OBJS ?= $(EFI_PATH)/crt0-efi-$(ARCH).o +endif EFI_LDS = elf_$(ARCH)_efi.lds DEFAULT_LOADER := \\\\grub.efi @@ -137,9 +143,15 @@ SUBSYSTEM := 0xa LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) endif +ifeq ($(ARCH),ia32) +FORMAT := -O binary +SUBSYSTEM := 0xa +LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) +endif + FORMAT ?= --target efi-app-$(ARCH) -crt0-efi-x86_64.o : crt0-efi-x86_64.S +crt0-efi-$(ARCH).o : crt0-efi-$(ARCH).S $(CC) $(CFLAGS) -DEFI_SUBSYSTEM=$(SUBSYSTEM) -c -o $@ $< %.efi: %.so diff --git a/crt0-efi-ia32.S b/crt0-efi-ia32.S new file mode 100644 index 0000000..70b5b44 --- /dev/null +++ b/crt0-efi-ia32.S @@ -0,0 +1,180 @@ +/* crt0-efi-x86_64.S - x86_64 EFI startup code. + * + * Copyright 2014 Red Hat, Inc. + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + .section .text.head + + /* + * Magic "MZ" signature for PE/COFF + */ + .globl ImageBase +ImageBase: + .ascii "MZ" + .skip 58 // 'MZ' + pad + offset == 64 + .long pe_header - ImageBase // Offset to the PE header. + .long 0x0eba1f0e /* terrifying code */ + .long 0xcd09b400 /* terrifying code */ + .long 0x4c01b821 /* terrifying code */ + .short 0x21cd /* terrfiying code */ + .ascii "The only winning move is not to play.\r\r\n$" /* DOS text */ + .skip 9 +pe_header: + .ascii "PE" + .short 0 +coff_header: + .short 0x014c // i386 + .short 1 // nr_sections + .long 0 // TimeDateStamp + .long 0 // PointerToSymbolTable + .long 0 // NumberOfSymbols + .short section_table - optional_header // SizeOfOptionalHeader + .short 0x306 // Characteristics. + // IMAGE_FILE_DEBUG_STRIPPED | + // IMAGE_FILE_EXECUTABLE_IMAGE | + // IMAGE_FILE_LINE_NUMS_STRIPPED + // | IMAGE_FILE_32BIT_MACHINE +optional_header: + .short 0x10b // PE32+ format + .byte 0x02 // MajorLinkerVersion + .byte 0x18 // MinorLinkerVersion + .long _edata - _start // SizeOfCode + .long 0 // SizeOfInitializedData + .long 0 // SizeOfUninitializedData + .long _start - ImageBase // AddressOfEntryPoint + .long _start - ImageBase // BaseOfCode + .long 0 // BaseOfData + +extra_header_fields: + .long 0 // ImageBase + .long 0x20 // SectionAlignment + .long 0x8 // FileAlignment + .short 0 // MajorOperatingSystemVersion + .short 0 // MinorOperatingSystemVersion + .short 0 // MajorImageVersion + .short 0 // MinorImageVersion + .short 0 // MajorSubsystemVersion + .short 0 // MinorSubsystemVersion + .long 0 // Win32VersionValue + + .long _edata - ImageBase // SizeOfImage + + // Everything before the kernel image is considered part of the header + .long _start - ImageBase // SizeOfHeaders + .long 0 // CheckSum + .short EFI_SUBSYSTEM // Subsystem + .short 0 // DllCharacteristics + .long 0 // SizeOfStackReserve + .long 0 // SizeOfStackCommit + .long 0 // SizeOfHeapReserve + .long 0 // SizeOfHeapCommit + .long 0 // LoaderFlags + .long 0x10 // NumberOfRvaAndSizes + + .quad 0 // ExportTable + .quad 0 // ImportTable + .quad 0 // ResourceTable + .quad 0 // ExceptionTable + .quad 0 // CertificationTable + .quad 0 // BaseRelocationTable + .quad 0 // DebugTable + .quad 0 // ArchTable + .quad 0 // GlobalPointerTable + .quad 0 // .tls + .quad 0 // LoadConfigTable + .quad 0 // BoundImportsTable + .quad 0 // ImportAddressTable + .quad 0 // DelayLoadImportTable + .quad 0 // ClrRuntimeHeader (.cor) + .quad 0 // Reserved + + // Section table +section_table: + .ascii ".text" + .byte 0 + .byte 0 + .byte 0 // end of 0 padding of section name + + .long _edata - _start // VirtualSize + .long _start - ImageBase // VirtualAddress + .long _edata - _start // SizeOfRawData + .long _start - ImageBase // PointerToRawData + .long 0 // PointerToRelocations (0 for executables) + .long 0 // PointerToLineNumbers (0 for executables) + .short 0 // NumberOfRelocations (0 for executables) + .short 0 // NumberOfLineNumbers (0 for executables) + .long 0x60500020 // Characteristics (section flags) + + /* + * The EFI application loader requires a relocation section + * because EFI applications must be relocatable. This is a + * dummy section as far as we are concerned. + */ + .ascii ".reloc" + .byte 0 + .byte 0 // end of 0 padding of section name + + .long 0 // VirtualSize + .long 0 // VirtualAddress + .long 0 // SizeOfRawData + .long 0 // PointerToRawData + .long 0 // PointerToRelocations + .long 0 // PointerToLineNumbers + .short 0 // NumberOfRelocations + .short 0 // NumberOfLineNumbers + .long 0x42100040 // Characteristics (section flags) + + /* most if not all ia32 binaries binutils makes seem to have .text + * starting at 0x400; no reason to assume that's a bad idea. */ + .align 1024 + +_start: + pushl %ebp + movl %esp,%ebp + + pushl 12(%ebp) # copy "image" argument + pushl 8(%ebp) # copy "systab" argument + + call 0f +0: popl %eax + movl %eax,%ebx + + addl $ImageBase-0b,%eax # %eax = ldbase + addl $_DYNAMIC-0b,%ebx # %ebx = _DYNAMIC + + pushl %ebx # pass _DYNAMIC as second argument + pushl %eax # pass ldbase as first argument + call _relocate + popl %ebx + popl %ebx + testl %eax,%eax + jne .exit + + call efi_main # call app with "image" and "systab" argument + +.exit: + leave + ret diff --git a/elf_ia32_efi.lds b/elf_ia32_efi.lds index 12d4085..b649e15 100644 --- a/elf_ia32_efi.lds +++ b/elf_ia32_efi.lds @@ -3,61 +3,56 @@ OUTPUT_ARCH(i386) ENTRY(_start) SECTIONS { - . = 0; - ImageBase = .; - .hash : { *(.hash) } /* this MUST come first! */ - . = ALIGN(4096); - .text : - { - *(.text) - *(.text.*) - *(.gnu.linkonce.t.*) + .text 0x0 : { + *(.text.head) + *(.text) + *(.text.*) + *(.gnu.linkonce.t.*) + *(.srodata) + *(.rodata*) + . = ALIGN(16); + _etext = .; } - .reloc : - { - *(.reloc) - } - . = ALIGN(4096); + .dynamic : { *(.dynamic) } .data : { - *(.rodata*) - *(.data) - *(.data1) - *(.data.*) - *(.sdata) - *(.got.plt) - *(.got) - /* the EFI loader doesn't seem to like a .bss section, so we stick - it all into .data: */ - *(.sbss) - *(.scommon) - *(.dynbss) - *(.bss) - *(COMMON) + *(.sdata) + *(.data) + *(.data1) + *(.data.*) + *(.got.plt) + *(.got) + + /* the EFI loader doesn't seem to like a .bss section, so we stick + * it all into .data: */ + . = ALIGN(16); + _bss = .; + *(.sbss) + *(.scommon) + *(.dynbss) + *(.bss) + *(COMMON) + . = ALIGN(16); + _bss_end = .; } . = ALIGN(4096); .vendor_cert : { - *(.vendor_cert) + *(.vendor_cert) } + . = ALIGN(4096); - .dynamic : { *(.dynamic) } + .rel.dyn : { *(.rel.dyn) } + .rel.plt : { *(.rel.plt) } + .rel.got : { *(.rel.got) } + .rel.data : { *(.rel.data) *(.rel.data*) } + _edata = .; + _data_size = . - _etext; + . = ALIGN(4096); - .rel : - { - *(.rel.data) - *(.rel.data.*) - *(.rel.got) - *(.rel.stab) - *(.data.rel.ro.local) - *(.data.rel.local) - *(.data.rel.ro) - *(.data.rel*) - } + .dynsym : { *(.dynsym) } . = ALIGN(4096); - .dynsym : { *(.dynsym) } - . = ALIGN(4096); - .dynstr : { *(.dynstr) } + .dynstr : { *(.dynstr) } . = ALIGN(4096); /DISCARD/ : { From 9ac3f69597b1460a59ed6ca8c752acc8a8577c6d Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Sun, 21 Sep 2014 16:25:28 -0400 Subject: [PATCH 150/163] Make list_keys() index variables all be signed. We build with -Werror=signed-compare in fedora/rhel rpms, and this showed up. Signed-off-by: Peter Jones --- MokManager.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/MokManager.c b/MokManager.c index 50cb9d7..ecbcdd3 100644 --- a/MokManager.c +++ b/MokManager.c @@ -436,11 +436,11 @@ static void show_mok_info (void *Mok, UINTN MokSize) static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title) { - UINT32 MokNum = 0; + INTN MokNum = 0; MokListNode *keys = NULL; INTN key_num = 0; CHAR16 **menu_strings; - unsigned int i; + int i; if (KeyListSize < (sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA))) { From 05b61752dbc651d51956263aa78681cf6bbcaa63 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 30 Sep 2014 22:49:21 -0400 Subject: [PATCH 151/163] Revert header changes Revert "Do the same for ia32..." and "Generate a sane PE header on shim, fallback, and MokManager." This reverts commit 6744a7ef8eca44948565c3d1244ec931ed3f6fee. and commit 0e7ba5947eb38b79de2051ecf3b95055e620475c. These are premature and I can do this without such drastic measures. Signed-off-by: Peter Jones --- Makefile | 42 +++-------- crt0-efi-ia32.S | 180 --------------------------------------------- crt0-efi-x86_64.S | 177 -------------------------------------------- elf_ia32_efi.lds | 83 +++++++++++---------- elf_x86_64_efi.lds | 89 +++++++++++----------- 5 files changed, 99 insertions(+), 472 deletions(-) delete mode 100644 crt0-efi-ia32.S delete mode 100644 crt0-efi-x86_64.S diff --git a/Makefile b/Makefile index a52984f..5bc513c 100644 --- a/Makefile +++ b/Makefile @@ -6,25 +6,16 @@ ARCH = $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,) SUBDIRS = Cryptlib lib +LIB_PATH = /usr/lib64 + EFI_INCLUDE := /usr/include/efi EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -Iinclude -ifeq ($(ARCH),ia32) -LIB_PATH := /usr/lib -EFI_PATH := /usr/lib/gnuefi -endif -LIB_PATH ?= /usr/lib64 -EFI_PATH ?= /usr/lib64/gnuefi +EFI_PATH := /usr/lib64/gnuefi LIB_GCC = $(shell $(CC) -print-libgcc-file-name) EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC) -ifeq ($(ARCH),x86_64) -EFI_CRT_OBJS := crt0-efi-$(ARCH).o -else ifeq ($(ARCH),ia32) -EFI_CRT_OBJS := crt0-efi-$(ARCH).o -else -EFI_CRT_OBJS ?= $(EFI_PATH)/crt0-efi-$(ARCH).o -endif +EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o EFI_LDS = elf_$(ARCH)_efi.lds DEFAULT_LOADER := \\\\grub.efi @@ -61,11 +52,11 @@ ifneq ($(origin VENDOR_DBX_FILE), undefined) CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\" endif -LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL +LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) VERSION = 0.7 -TARGET += shim.efi MokManager.efi.signed fallback.efi.signed +TARGET = shim.efi MokManager.efi.signed fallback.efi.signed OBJS = shim.o netboot.o cert.o replacements.o version.o KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h version.c version.h @@ -103,17 +94,17 @@ shim.o: $(SOURCES) shim_cert.h cert.o : cert.S $(CC) $(CFLAGS) -c -o $@ $< -shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a $(EFI_CRT_OBJS) +shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) fallback.o: $(FALLBACK_SRCS) -fallback.so: $(FALLBACK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a $(EFI_CRT_OBJS) +fallback.so: $(FALLBACK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) MokManager.o: $(MOK_SOURCES) -MokManager.so: $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a $(EFI_CRT_OBJS) +MokManager.so: $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a Cryptlib/libcryptlib.a: @@ -137,23 +128,8 @@ SUBSYSTEM := 0xa LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) endif -ifeq ($(ARCH),x86_64) -FORMAT := -O binary -SUBSYSTEM := 0xa -LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) -endif - -ifeq ($(ARCH),ia32) -FORMAT := -O binary -SUBSYSTEM := 0xa -LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) -endif - FORMAT ?= --target efi-app-$(ARCH) -crt0-efi-$(ARCH).o : crt0-efi-$(ARCH).S - $(CC) $(CFLAGS) -DEFI_SUBSYSTEM=$(SUBSYSTEM) -c -o $@ $< - %.efi: %.so $(OBJCOPY) -j .text -j .sdata -j .data \ -j .dynamic -j .dynsym -j .rel* \ diff --git a/crt0-efi-ia32.S b/crt0-efi-ia32.S deleted file mode 100644 index 70b5b44..0000000 --- a/crt0-efi-ia32.S +++ /dev/null @@ -1,180 +0,0 @@ -/* crt0-efi-x86_64.S - x86_64 EFI startup code. - * - * Copyright 2014 Red Hat, Inc. - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the - * distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ - .section .text.head - - /* - * Magic "MZ" signature for PE/COFF - */ - .globl ImageBase -ImageBase: - .ascii "MZ" - .skip 58 // 'MZ' + pad + offset == 64 - .long pe_header - ImageBase // Offset to the PE header. - .long 0x0eba1f0e /* terrifying code */ - .long 0xcd09b400 /* terrifying code */ - .long 0x4c01b821 /* terrifying code */ - .short 0x21cd /* terrfiying code */ - .ascii "The only winning move is not to play.\r\r\n$" /* DOS text */ - .skip 9 -pe_header: - .ascii "PE" - .short 0 -coff_header: - .short 0x014c // i386 - .short 1 // nr_sections - .long 0 // TimeDateStamp - .long 0 // PointerToSymbolTable - .long 0 // NumberOfSymbols - .short section_table - optional_header // SizeOfOptionalHeader - .short 0x306 // Characteristics. - // IMAGE_FILE_DEBUG_STRIPPED | - // IMAGE_FILE_EXECUTABLE_IMAGE | - // IMAGE_FILE_LINE_NUMS_STRIPPED - // | IMAGE_FILE_32BIT_MACHINE -optional_header: - .short 0x10b // PE32+ format - .byte 0x02 // MajorLinkerVersion - .byte 0x18 // MinorLinkerVersion - .long _edata - _start // SizeOfCode - .long 0 // SizeOfInitializedData - .long 0 // SizeOfUninitializedData - .long _start - ImageBase // AddressOfEntryPoint - .long _start - ImageBase // BaseOfCode - .long 0 // BaseOfData - -extra_header_fields: - .long 0 // ImageBase - .long 0x20 // SectionAlignment - .long 0x8 // FileAlignment - .short 0 // MajorOperatingSystemVersion - .short 0 // MinorOperatingSystemVersion - .short 0 // MajorImageVersion - .short 0 // MinorImageVersion - .short 0 // MajorSubsystemVersion - .short 0 // MinorSubsystemVersion - .long 0 // Win32VersionValue - - .long _edata - ImageBase // SizeOfImage - - // Everything before the kernel image is considered part of the header - .long _start - ImageBase // SizeOfHeaders - .long 0 // CheckSum - .short EFI_SUBSYSTEM // Subsystem - .short 0 // DllCharacteristics - .long 0 // SizeOfStackReserve - .long 0 // SizeOfStackCommit - .long 0 // SizeOfHeapReserve - .long 0 // SizeOfHeapCommit - .long 0 // LoaderFlags - .long 0x10 // NumberOfRvaAndSizes - - .quad 0 // ExportTable - .quad 0 // ImportTable - .quad 0 // ResourceTable - .quad 0 // ExceptionTable - .quad 0 // CertificationTable - .quad 0 // BaseRelocationTable - .quad 0 // DebugTable - .quad 0 // ArchTable - .quad 0 // GlobalPointerTable - .quad 0 // .tls - .quad 0 // LoadConfigTable - .quad 0 // BoundImportsTable - .quad 0 // ImportAddressTable - .quad 0 // DelayLoadImportTable - .quad 0 // ClrRuntimeHeader (.cor) - .quad 0 // Reserved - - // Section table -section_table: - .ascii ".text" - .byte 0 - .byte 0 - .byte 0 // end of 0 padding of section name - - .long _edata - _start // VirtualSize - .long _start - ImageBase // VirtualAddress - .long _edata - _start // SizeOfRawData - .long _start - ImageBase // PointerToRawData - .long 0 // PointerToRelocations (0 for executables) - .long 0 // PointerToLineNumbers (0 for executables) - .short 0 // NumberOfRelocations (0 for executables) - .short 0 // NumberOfLineNumbers (0 for executables) - .long 0x60500020 // Characteristics (section flags) - - /* - * The EFI application loader requires a relocation section - * because EFI applications must be relocatable. This is a - * dummy section as far as we are concerned. - */ - .ascii ".reloc" - .byte 0 - .byte 0 // end of 0 padding of section name - - .long 0 // VirtualSize - .long 0 // VirtualAddress - .long 0 // SizeOfRawData - .long 0 // PointerToRawData - .long 0 // PointerToRelocations - .long 0 // PointerToLineNumbers - .short 0 // NumberOfRelocations - .short 0 // NumberOfLineNumbers - .long 0x42100040 // Characteristics (section flags) - - /* most if not all ia32 binaries binutils makes seem to have .text - * starting at 0x400; no reason to assume that's a bad idea. */ - .align 1024 - -_start: - pushl %ebp - movl %esp,%ebp - - pushl 12(%ebp) # copy "image" argument - pushl 8(%ebp) # copy "systab" argument - - call 0f -0: popl %eax - movl %eax,%ebx - - addl $ImageBase-0b,%eax # %eax = ldbase - addl $_DYNAMIC-0b,%ebx # %ebx = _DYNAMIC - - pushl %ebx # pass _DYNAMIC as second argument - pushl %eax # pass ldbase as first argument - call _relocate - popl %ebx - popl %ebx - testl %eax,%eax - jne .exit - - call efi_main # call app with "image" and "systab" argument - -.exit: - leave - ret diff --git a/crt0-efi-x86_64.S b/crt0-efi-x86_64.S deleted file mode 100644 index f334a63..0000000 --- a/crt0-efi-x86_64.S +++ /dev/null @@ -1,177 +0,0 @@ -/* crt0-efi-x86_64.S - x86_64 EFI startup code. - * - * Copyright 2014 Red Hat, Inc. - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the - * distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ - .section .text.head - - /* - * Magic "MZ" signature for PE/COFF - */ - .globl ImageBase -ImageBase: - .ascii "MZ" - .skip 58 // 'MZ' + pad + offset == 64 - .long pe_header - ImageBase // Offset to the PE header. - .long 0x0eba1f0e /* terrifying code */ - .long 0xcd09b400 /* terrifying code */ - .long 0x4c01b821 /* terrifying code */ - .short 0x21cd /* terrfiying code */ - .ascii "The only winning move is not to play.\r\r\n$" /* DOS text */ - .skip 9 -pe_header: - .ascii "PE" - .short 0 -coff_header: - .short 0x8664 // x86_64 - .short 1 // nr_sections - .long 0 // TimeDateStamp - .long 0 // PointerToSymbolTable - .long 0 // NumberOfSymbols - .short section_table - optional_header // SizeOfOptionalHeader - .short 0x206 // Characteristics. - // IMAGE_FILE_DEBUG_STRIPPED | - // IMAGE_FILE_EXECUTABLE_IMAGE | - // IMAGE_FILE_LINE_NUMS_STRIPPED -optional_header: - .short 0x20b // PE32+ format - .byte 0x02 // MajorLinkerVersion - .byte 0x18 // MinorLinkerVersion - .long _edata - _start // SizeOfCode - .long 0 // SizeOfInitializedData - .long 0 // SizeOfUninitializedData - .long _start - ImageBase // AddressOfEntryPoint - .long _start - ImageBase // BaseOfCode - -extra_header_fields: - .quad 0 // ImageBase - .long 0x20 // SectionAlignment - .long 0x8 // FileAlignment - .short 0 // MajorOperatingSystemVersion - .short 0 // MinorOperatingSystemVersion - .short 0 // MajorImageVersion - .short 0 // MinorImageVersion - .short 0 // MajorSubsystemVersion - .short 0 // MinorSubsystemVersion - .long 0 // Win32VersionValue - - .long _edata - ImageBase // SizeOfImage - - // Everything before the kernel image is considered part of the header - .long _start - ImageBase // SizeOfHeaders - .long 0 // CheckSum - .short EFI_SUBSYSTEM // Subsystem - .short 0 // DllCharacteristics - .quad 0 // SizeOfStackReserve - .quad 0 // SizeOfStackCommit - .quad 0 // SizeOfHeapReserve - .quad 0 // SizeOfHeapCommit - .long 0 // LoaderFlags - .long 0x10 // NumberOfRvaAndSizes - - .quad 0 // ExportTable - .quad 0 // ImportTable - .quad 0 // ResourceTable - .quad 0 // ExceptionTable - .quad 0 // CertificationTable - .quad 0 // BaseRelocationTable - .quad 0 // DebugTable - .quad 0 // ArchTable - .quad 0 // GlobalPointerTable - .quad 0 // .tls - .quad 0 // LoadConfigTable - .quad 0 // BoundImportsTable - .quad 0 // ImportAddressTable - .quad 0 // DelayLoadImportTable - .quad 0 // ClrRuntimeHeader (.cor) - .quad 0 // Reserved - - // Section table -section_table: - .ascii ".text" - .byte 0 - .byte 0 - .byte 0 // end of 0 padding of section name - - .long _edata - _start // VirtualSize - .long _start - ImageBase // VirtualAddress - .long _edata - _start // SizeOfRawData - .long _start - ImageBase // PointerToRawData - .long 0 // PointerToRelocations (0 for executables) - .long 0 // PointerToLineNumbers (0 for executables) - .short 0 // NumberOfRelocations (0 for executables) - .short 0 // NumberOfLineNumbers (0 for executables) - .long 0x60500020 // Characteristics (section flags) - - /* - * The EFI application loader requires a relocation section - * because EFI applications must be relocatable. This is a - * dummy section as far as we are concerned. - */ - .ascii ".reloc" - .byte 0 - .byte 0 // end of 0 padding of section name - - .long 0 // VirtualSize - .long 0 // VirtualAddress - .long 0 // SizeOfRawData - .long 0 // PointerToRawData - .long 0 // PointerToRelocations - .long 0 // PointerToLineNumbers - .short 0 // NumberOfRelocations - .short 0 // NumberOfLineNumbers - .long 0x42100040 // Characteristics (section flags) - - /* x86-64 needs this padding here; without it, some machines simply - * refuse to admit this is an EFI binary. I'm not really sure why; - * reading the spec, it's unclear, but you'd expect it would need to - * be aligned to (1 << FileAlignment), which would mean not having - * the spacing. - */ - .quad 0 -_start: - subq $8, %rsp - pushq %rcx - pushq %rdx - -0: - lea ImageBase(%rip), %rdi - lea _DYNAMIC(%rip), %rsi - - popq %rcx - popq %rdx - pushq %rcx - pushq %rdx - call _relocate - - popq %rdi - popq %rsi - - call efi_main - addq $8, %rsp - -.exit: - ret diff --git a/elf_ia32_efi.lds b/elf_ia32_efi.lds index b649e15..12d4085 100644 --- a/elf_ia32_efi.lds +++ b/elf_ia32_efi.lds @@ -3,56 +3,61 @@ OUTPUT_ARCH(i386) ENTRY(_start) SECTIONS { - .text 0x0 : { - *(.text.head) - *(.text) - *(.text.*) - *(.gnu.linkonce.t.*) - *(.srodata) - *(.rodata*) - . = ALIGN(16); - _etext = .; + . = 0; + ImageBase = .; + .hash : { *(.hash) } /* this MUST come first! */ + . = ALIGN(4096); + .text : + { + *(.text) + *(.text.*) + *(.gnu.linkonce.t.*) } - .dynamic : { *(.dynamic) } + .reloc : + { + *(.reloc) + } + . = ALIGN(4096); .data : { - *(.sdata) - *(.data) - *(.data1) - *(.data.*) - *(.got.plt) - *(.got) - - /* the EFI loader doesn't seem to like a .bss section, so we stick - * it all into .data: */ - . = ALIGN(16); - _bss = .; - *(.sbss) - *(.scommon) - *(.dynbss) - *(.bss) - *(COMMON) - . = ALIGN(16); - _bss_end = .; + *(.rodata*) + *(.data) + *(.data1) + *(.data.*) + *(.sdata) + *(.got.plt) + *(.got) + /* the EFI loader doesn't seem to like a .bss section, so we stick + it all into .data: */ + *(.sbss) + *(.scommon) + *(.dynbss) + *(.bss) + *(COMMON) } . = ALIGN(4096); .vendor_cert : { - *(.vendor_cert) + *(.vendor_cert) } - . = ALIGN(4096); - .rel.dyn : { *(.rel.dyn) } - .rel.plt : { *(.rel.plt) } - .rel.got : { *(.rel.got) } - .rel.data : { *(.rel.data) *(.rel.data*) } - _edata = .; - _data_size = . - _etext; - + .dynamic : { *(.dynamic) } . = ALIGN(4096); - .dynsym : { *(.dynsym) } + .rel : + { + *(.rel.data) + *(.rel.data.*) + *(.rel.got) + *(.rel.stab) + *(.data.rel.ro.local) + *(.data.rel.local) + *(.data.rel.ro) + *(.data.rel*) + } . = ALIGN(4096); - .dynstr : { *(.dynstr) } + .dynsym : { *(.dynsym) } + . = ALIGN(4096); + .dynstr : { *(.dynstr) } . = ALIGN(4096); /DISCARD/ : { diff --git a/elf_x86_64_efi.lds b/elf_x86_64_efi.lds index 091187b..f981102 100644 --- a/elf_x86_64_efi.lds +++ b/elf_x86_64_efi.lds @@ -4,60 +4,63 @@ OUTPUT_ARCH(i386:x86-64) ENTRY(_start) SECTIONS { - .text 0x0 : { - *(.text.head) - *(.text) - *(.text.*) - *(.gnu.linkonce.t.*) - *(.srodata) - *(.rodata*) - . = ALIGN(16); - _etext = .; + . = 0; + ImageBase = .; + .hash : { *(.hash) } /* this MUST come first! */ + . = ALIGN(4096); + .eh_frame : + { + *(.eh_frame) } - .dynamic : { *(.dynamic) } + . = ALIGN(4096); + .text : + { + *(.text) + } + . = ALIGN(4096); + .reloc : + { + *(.reloc) + } + . = ALIGN(4096); .data : { - *(.sdata) - *(.data) - *(.data1) - *(.data.*) - *(.got.plt) - *(.got) - - /* the EFI loader doesn't seem to like a .bss section, so we stick - * it all into .data: */ - . = ALIGN(16); - _bss = .; - *(.sbss) - *(.scommon) - *(.dynbss) - *(.bss) - *(COMMON) - . = ALIGN(16); - _bss_end = .; + *(.rodata*) + *(.got.plt) + *(.got) + *(.data*) + *(.sdata) + /* the EFI loader doesn't seem to like a .bss section, so we stick + it all into .data: */ + *(.sbss) + *(.scommon) + *(.dynbss) + *(.bss) + *(COMMON) + *(.rel.local) } . = ALIGN(4096); .vendor_cert : { - *(.vendor_cert) + *(.vendor_cert) } - . = ALIGN(4096); - .rela.dyn : { *(.rela.dyn) } - .rela.plt : { *(.rela.plt) } - .rela.got : { *(.rela.got) } - .rela.data : { *(.rela.data) *(.rela.data*) } - _edata = .; - _data_size = . - _etext; - + .dynamic : { *(.dynamic) } . = ALIGN(4096); - .dynsym : { *(.dynsym) } - . = ALIGN(4096); - .dynstr : { *(.dynstr) } - . = ALIGN(4096); - /DISCARD/ : + .rela : { - *(.rel.reloc) + *(.rela.data*) + *(.rela.got) + *(.rela.stab) + } + . = ALIGN(4096); + .dynsym : { *(.dynsym) } + . = ALIGN(4096); + .dynstr : { *(.dynstr) } + . = ALIGN(4096); + .ignored.reloc : + { + *(.rela.reloc) *(.eh_frame) *(.note.GNU-stack) } From a16340e3f79d32b7454426db53b94e611802c6e3 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 30 Sep 2014 22:51:32 -0400 Subject: [PATCH 152/163] Actually find the relocations correctly and process them that way. Find the relocations based on the *file* address in the old binary, because it's only the same as the virtual address some of the time. Also perform some extra validation before processing it, and don't bail out in /error/ if both ReloceBase and RelocEnd are null - that condition is fine. Signed-off-by: Peter Jones --- shim.c | 90 +++++++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 77 insertions(+), 13 deletions(-) diff --git a/shim.c b/shim.c index 7cd4182..4baf8b1 100644 --- a/shim.c +++ b/shim.c @@ -222,6 +222,7 @@ image_is_loadable(EFI_IMAGE_OPTIONAL_HEADER_UNION *PEHdr) * Perform the actual relocation */ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, + EFI_IMAGE_SECTION_HEADER *Section, void *orig, void *data) { EFI_IMAGE_BASE_RELOCATION *RelocBase, *RelocBaseEnd; @@ -233,14 +234,46 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, UINT64 *Fixup64; int size = context->ImageSize; void *ImageEnd = (char *)orig + size; + int n = 0; if (image_is_64_bit(context->PEHdr)) context->PEHdr->Pe32Plus.OptionalHeader.ImageBase = (UINT64)(unsigned long)data; else context->PEHdr->Pe32.OptionalHeader.ImageBase = (UINT32)(unsigned long)data; - RelocBase = ImageAddress(orig, size, context->RelocDir->VirtualAddress); - RelocBaseEnd = ImageAddress(orig, size, context->RelocDir->VirtualAddress + context->RelocDir->Size - 1); + /* Alright, so here's how this works: + * + * context->RelocDir gives us two things: + * - the VA the table of base relocation blocks are (maybe) to be + * mapped at (RelocDir->VirtualAddress) + * - the virtual size (RelocDir->Size) + * + * The .reloc section (Section here) gives us some other things: + * - the name! kind of. (Section->Name) + * - the virtual size (Section->VirtualSize), which should be the same + * as RelocDir->Size + * - the virtual address (Section->VirtualAddress) + * - the file section size (Section->SizeOfRawData), which is + * a multiple of OptHdr->FileAlignment. Only useful for image + * validation, not really useful for iteration bounds. + * - the file address (Section->PointerToRawData) + * - a bunch of stuff we don't use that's 0 in our binaries usually + * - Flags (Section->Characteristics) + * + * and then the thing that's actually at the file address is an array + * of EFI_IMAGE_BASE_RELOCATION structs with some values packed behind + * them. The SizeOfBlock field of this structure includes the + * structure itself, and adding it to that structure's address will + * yield the next entry in the array. + */ + RelocBase = ImageAddress(orig, size, Section->PointerToRawData); + /* RelocBaseEnd here is the address of the first entry /past/ the + * table. */ + RelocBaseEnd = ImageAddress(orig, size, Section->PointerToRawData + + Section->Misc.VirtualSize); + + if (!RelocBase && !RelocBaseEnd) + return EFI_SUCCESS; if (!RelocBase || !RelocBaseEnd) { perror(L"Reloc table overflows binary\n"); @@ -256,19 +289,19 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, Reloc = (UINT16 *) ((char *) RelocBase + sizeof (EFI_IMAGE_BASE_RELOCATION)); if ((RelocBase->SizeOfBlock == 0) || (RelocBase->SizeOfBlock > context->RelocDir->Size)) { - perror(L"Reloc block size %d is invalid\n", RelocBase->SizeOfBlock); + perror(L"Reloc %d block size %d is invalid\n", n, RelocBase->SizeOfBlock); return EFI_UNSUPPORTED; } RelocEnd = (UINT16 *) ((char *) RelocBase + RelocBase->SizeOfBlock); if ((void *)RelocEnd < orig || (void *)RelocEnd > ImageEnd) { - perror(L"Reloc entry overflows binary\n"); + perror(L"Reloc %d entry overflows binary\n", n); return EFI_UNSUPPORTED; } FixupBase = ImageAddress(data, size, RelocBase->VirtualAddress); if (!FixupBase) { - perror(L"Invalid fixupbase\n"); + perror(L"Reloc %d Invalid fixupbase\n", n); return EFI_UNSUPPORTED; } @@ -317,12 +350,13 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, break; default: - perror(L"Unknown relocation\n"); + perror(L"Reloc %d Unknown relocation\n", n); return EFI_UNSUPPORTED; } Reloc += 1; } RelocBase = (EFI_IMAGE_BASE_RELOCATION *) RelocEnd; + n++; } return EFI_SUCCESS; @@ -1102,15 +1136,21 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, CopyMem(buffer, data, context.SizeOfHeaders); + char *RelocBase, *RelocBaseEnd; + RelocBase = ImageAddress(buffer, datasize, + context.RelocDir->VirtualAddress); + /* RelocBaseEnd here is the address of the last byte of the table */ + RelocBaseEnd = ImageAddress(buffer, datasize, + context.RelocDir->VirtualAddress + + context.RelocDir->Size - 1); + + EFI_IMAGE_SECTION_HEADER *RelocSection = NULL; + /* * Copy the executable's sections to their desired offsets */ Section = context.FirstSection; for (i = 0; i < context.NumberOfSections; i++, Section++) { - if (Section->Characteristics & 0x02000000) - /* section has EFI_IMAGE_SCN_MEM_DISCARDABLE attr set */ - continue; - size = Section->Misc.VirtualSize; if (size > Section->SizeOfRawData) @@ -1118,7 +1158,6 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, base = ImageAddress (buffer, context.ImageSize, Section->VirtualAddress); end = ImageAddress (buffer, context.ImageSize, Section->VirtualAddress + size - 1); - if (!base || !end) { perror(L"Invalid section size\n"); return EFI_UNSUPPORTED; @@ -1130,6 +1169,30 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, return EFI_UNSUPPORTED; } + /* We do want to process .reloc, but it's often marked + * discardable, so we don't want to memcpy it. */ + if (CompareMem(Section->Name, ".reloc\0\0", 8) == 0) { + if (RelocSection) { + perror(L"Image has multiple relocation sections\n"); + return EFI_UNSUPPORTED; + } + /* If it has nonzero sizes, and our bounds check + * made sense, and the VA and size match RelocDir's + * versions, then we believe in this section table. */ + if (Section->SizeOfRawData && + Section->Misc.VirtualSize && + base && end && + RelocBase == base && + RelocBaseEnd == end) { + RelocSection = Section; + } + } + + if (Section->Characteristics & 0x02000000) { + /* section has EFI_IMAGE_SCN_MEM_DISCARDABLE attr set */ + continue; + } + if (Section->SizeOfRawData > 0) CopyMem(base, data + Section->PointerToRawData, size); @@ -1143,11 +1206,12 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, return EFI_UNSUPPORTED; } - if (context.RelocDir->Size) { + if (context.RelocDir->Size && RelocSection) { /* * Run the relocation fixups */ - efi_status = relocate_coff(&context, data, buffer); + efi_status = relocate_coff(&context, RelocSection, data, + buffer); if (efi_status != EFI_SUCCESS) { perror(L"Relocation failed: %r\n", efi_status); From ada75ade4ca906737bda7741c49b427da9b5763f Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 2 Oct 2014 00:02:43 -0400 Subject: [PATCH 153/163] Don't append an empty cert list to MokListRT if vendor_cert_size is 0. Signed-off-by: Peter Jones --- shim.c | 65 +++++++++++++++++++++++++++++++--------------------------- 1 file changed, 35 insertions(+), 30 deletions(-) diff --git a/shim.c b/shim.c index 4baf8b1..a282ee3 100644 --- a/shim.c +++ b/shim.c @@ -1698,37 +1698,42 @@ EFI_STATUS mirror_mok_list() if (efi_status != EFI_SUCCESS) DataSize = 0; - FullDataSize = DataSize - + sizeof (*CertList) - + sizeof (EFI_GUID) - + vendor_cert_size - ; - FullData = AllocatePool(FullDataSize); - if (!FullData) { - perror(L"Failed to allocate space for MokListRT\n"); - return EFI_OUT_OF_RESOURCES; + if (vendor_cert_size) { + FullDataSize = DataSize + + sizeof (*CertList) + + sizeof (EFI_GUID) + + vendor_cert_size + ; + FullData = AllocatePool(FullDataSize); + if (!FullData) { + perror(L"Failed to allocate space for MokListRT\n"); + return EFI_OUT_OF_RESOURCES; + } + p = FullData; + + if (efi_status == EFI_SUCCESS && DataSize > 0) { + CopyMem(p, Data, DataSize); + p += DataSize; + } + CertList = (EFI_SIGNATURE_LIST *)p; + p += sizeof (*CertList); + CertData = (EFI_SIGNATURE_DATA *)p; + p += sizeof (EFI_GUID); + + CertList->SignatureType = EFI_CERT_X509_GUID; + CertList->SignatureListSize = vendor_cert_size + + sizeof (*CertList) + + sizeof (*CertData) + -1; + CertList->SignatureHeaderSize = 0; + CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID); + + CertData->SignatureOwner = SHIM_LOCK_GUID; + CopyMem(p, vendor_cert, vendor_cert_size); + } else { + FullDataSize = DataSize; + FullData = Data; } - p = FullData; - - if (efi_status == EFI_SUCCESS && DataSize > 0) { - CopyMem(p, Data, DataSize); - p += DataSize; - } - CertList = (EFI_SIGNATURE_LIST *)p; - p += sizeof (*CertList); - CertData = (EFI_SIGNATURE_DATA *)p; - p += sizeof (EFI_GUID); - - CertList->SignatureType = EFI_CERT_X509_GUID; - CertList->SignatureListSize = vendor_cert_size - + sizeof (*CertList) - + sizeof (*CertData) - -1; - CertList->SignatureHeaderSize = 0; - CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID); - - CertData->SignatureOwner = SHIM_LOCK_GUID; - CopyMem(p, vendor_cert, vendor_cert_size); efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListRT", &shim_lock_guid, From e258243e43ca2c9f6ac177ed4153fe92af64fcd8 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 2 Oct 2014 00:02:43 -0400 Subject: [PATCH 154/163] Fix some minor testplan errors. Signed-off-by: Peter Jones --- testplan.txt | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/testplan.txt b/testplan.txt index 2fbf238..ab88781 100644 --- a/testplan.txt +++ b/testplan.txt @@ -12,7 +12,7 @@ How to test a new shim build for RHEL/fedora: -s -c "Red Hat Test Certificate" 6) put pesign-test-app-signed.efi in \EFI\test as grubx64.efi cp /usr/share/pesign-test-app-0.4/pesign-test-app-signed.efi \ - /boot/efi/EFI/test/test.efi + /boot/efi/EFI/test/grubx64.efi 7) sign a copy of grubx64.efi with RHTC and iput it in \EFI\test\ . Also leave an unsigned copy there: pesign -i /boot/efi/EFI/redhat/grubx64.efi \ @@ -38,7 +38,9 @@ How to test a new shim build for RHEL/fedora: 12) put shim.efi there as well cp /boot/efi/EFI/test/shim.efi /boot/efi/EFI/BOOT/BOOTX64.EFI 13) enroll the current kernel's certificate with mokutil: - mokutil --import ~/redhatsecurebootca2.cer + # this should be a /different/ cert than the one signing pesign-test-app. + # for instance use a RHEL cert for p-t-a and a fedora cert+kernel here. + mokutil --import ~/fedora-ca.cer 14) put machine in setup mode 15) boot to the UEFI shell 16) run lockdown.efi from #4: From f852734c5a15f2fe6a76424ce23daaee870c6c4e Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 2 Oct 2014 00:08:50 -0400 Subject: [PATCH 155/163] Don't verify images with the empty build key We replaced the build key with an empty file while compiling shim for our distro. Skip the verification with the empty build key since this makes no sense. Signed-off-by: Gary Ching-Pang Lin --- shim.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/shim.c b/shim.c index a282ee3..8076caa 100644 --- a/shim.c +++ b/shim.c @@ -949,7 +949,8 @@ static EFI_STATUS verify_buffer (char *data, int datasize, /* * Check against the shim build key */ - if (AuthenticodeVerify(cert->CertData, + if (sizeof(shim_cert) && + AuthenticodeVerify(cert->CertData, context->SecDir->Size - sizeof(cert->Hdr), shim_cert, sizeof(shim_cert), sha256hash, SHA256_DIGEST_SIZE)) { From e83cd86c6734e8368429482945855ab9c60b3da5 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 2 Oct 2014 00:10:47 -0400 Subject: [PATCH 156/163] Cryptlib: remove the unused files I mistakenly added CryptPkcs7VerifyNull.c which may make Pkcs7Verify always return FALSE. Besides CryptPkcs7VerifyNull.c, there are some functions we would never use. This commit removes those files to avoid any potential trouble. Signed-off-by: Gary Ching-Pang Lin --- Cryptlib/Makefile | 5 +- Cryptlib/Pk/CryptDh.c | 328 ------------------------- Cryptlib/Pk/CryptDhNull.c | 156 ++++++++++++ Cryptlib/Pk/CryptPkcs7Sign.c | 207 ---------------- Cryptlib/Pk/CryptPkcs7VerifyNull.c | 100 -------- Cryptlib/Pk/CryptRsaExt.c | 377 ----------------------------- Cryptlib/update.sh | 5 +- 7 files changed, 158 insertions(+), 1020 deletions(-) delete mode 100644 Cryptlib/Pk/CryptDh.c create mode 100644 Cryptlib/Pk/CryptDhNull.c delete mode 100644 Cryptlib/Pk/CryptPkcs7Sign.c delete mode 100644 Cryptlib/Pk/CryptPkcs7VerifyNull.c delete mode 100644 Cryptlib/Pk/CryptRsaExt.c diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile index 73a1e2b..9719a27 100644 --- a/Cryptlib/Makefile +++ b/Cryptlib/Makefile @@ -25,13 +25,10 @@ OBJS = Hash/CryptMd4.o \ Cipher/CryptArc4.o \ Rand/CryptRand.o \ Pk/CryptRsaBasic.o \ - Pk/CryptRsaExt.o \ Pk/CryptRsaExtNull.o \ - Pk/CryptPkcs7Sign.o \ Pk/CryptPkcs7SignNull.o \ Pk/CryptPkcs7Verify.o \ - Pk/CryptPkcs7VerifyNull.o \ - Pk/CryptDh.o \ + Pk/CryptDhNull.o \ Pk/CryptX509.o \ Pk/CryptAuthenticode.o \ Pem/CryptPem.o \ diff --git a/Cryptlib/Pk/CryptDh.c b/Cryptlib/Pk/CryptDh.c deleted file mode 100644 index 942b3d1..0000000 --- a/Cryptlib/Pk/CryptDh.c +++ /dev/null @@ -1,328 +0,0 @@ -/** @file - Diffie-Hellman Wrapper Implementation over OpenSSL. - -Copyright (c) 2010 - 2012, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include "InternalCryptLib.h" -#include - - -/** - Allocates and Initializes one Diffie-Hellman Context for subsequent use. - - @return Pointer to the Diffie-Hellman Context that has been initialized. - If the allocations fails, DhNew() returns NULL. - -**/ -VOID * -EFIAPI -DhNew ( - VOID - ) -{ - // - // Allocates & Initializes DH Context by OpenSSL DH_new() - // - return (VOID *) DH_new (); -} - -/** - Release the specified DH context. - - If DhContext is NULL, then return FALSE. - - @param[in] DhContext Pointer to the DH context to be released. - -**/ -VOID -EFIAPI -DhFree ( - IN VOID *DhContext - ) -{ - // - // Free OpenSSL DH Context - // - DH_free ((DH *) DhContext); -} - -/** - Generates DH parameter. - - Given generator g, and length of prime number p in bits, this function generates p, - and sets DH context according to value of g and p. - - Before this function can be invoked, pseudorandom number generator must be correctly - initialized by RandomSeed(). - - If DhContext is NULL, then return FALSE. - If Prime is NULL, then return FALSE. - - @param[in, out] DhContext Pointer to the DH context. - @param[in] Generator Value of generator. - @param[in] PrimeLength Length in bits of prime to be generated. - @param[out] Prime Pointer to the buffer to receive the generated prime number. - - @retval TRUE DH pamameter generation succeeded. - @retval FALSE Value of Generator is not supported. - @retval FALSE PRNG fails to generate random prime number with PrimeLength. - -**/ -BOOLEAN -EFIAPI -DhGenerateParameter ( - IN OUT VOID *DhContext, - IN UINTN Generator, - IN UINTN PrimeLength, - OUT UINT8 *Prime - ) -{ - BOOLEAN RetVal; - - // - // Check input parameters. - // - if (DhContext == NULL || Prime == NULL || PrimeLength > INT_MAX) { - return FALSE; - } - - if (Generator != DH_GENERATOR_2 && Generator != DH_GENERATOR_5) { - return FALSE; - } - - RetVal = (BOOLEAN) DH_generate_parameters_ex (DhContext, (UINT32) PrimeLength, (UINT32) Generator, NULL); - if (!RetVal) { - return FALSE; - } - - BN_bn2bin (((DH *) DhContext)->p, Prime); - - return TRUE; -} - -/** - Sets generator and prime parameters for DH. - - Given generator g, and prime number p, this function and sets DH - context accordingly. - - If DhContext is NULL, then return FALSE. - If Prime is NULL, then return FALSE. - - @param[in, out] DhContext Pointer to the DH context. - @param[in] Generator Value of generator. - @param[in] PrimeLength Length in bits of prime to be generated. - @param[in] Prime Pointer to the prime number. - - @retval TRUE DH pamameter setting succeeded. - @retval FALSE Value of Generator is not supported. - @retval FALSE Value of Generator is not suitable for the Prime. - @retval FALSE Value of Prime is not a prime number. - @retval FALSE Value of Prime is not a safe prime number. - -**/ -BOOLEAN -EFIAPI -DhSetParameter ( - IN OUT VOID *DhContext, - IN UINTN Generator, - IN UINTN PrimeLength, - IN CONST UINT8 *Prime - ) -{ - DH *Dh; - BIGNUM *Bn; - - // - // Check input parameters. - // - if (DhContext == NULL || Prime == NULL || PrimeLength > INT_MAX) { - return FALSE; - } - - if (Generator != DH_GENERATOR_2 && Generator != DH_GENERATOR_5) { - return FALSE; - } - - Bn = NULL; - - Dh = (DH *) DhContext; - Dh->g = NULL; - Dh->p = BN_new (); - if (Dh->p == NULL) { - goto Error; - } - - Dh->g = BN_new (); - if (Dh->g == NULL) { - goto Error; - } - - Bn = BN_bin2bn (Prime, (UINT32) (PrimeLength / 8), Dh->p); - if (Bn == NULL) { - goto Error; - } - - if (BN_set_word (Dh->g, (UINT32) Generator) == 0) { - goto Error; - } - - return TRUE; - -Error: - - if (Dh->p != NULL) { - BN_free (Dh->p); - } - - if (Dh->g != NULL) { - BN_free (Dh->g); - } - - if (Bn != NULL) { - BN_free (Bn); - } - - return FALSE; -} - -/** - Generates DH public key. - - This function generates random secret exponent, and computes the public key, which is - returned via parameter PublicKey and PublicKeySize. DH context is updated accordingly. - If the PublicKey buffer is too small to hold the public key, FALSE is returned and - PublicKeySize is set to the required buffer size to obtain the public key. - - If DhContext is NULL, then return FALSE. - If PublicKeySize is NULL, then return FALSE. - If PublicKeySize is large enough but PublicKey is NULL, then return FALSE. - - @param[in, out] DhContext Pointer to the DH context. - @param[out] PublicKey Pointer to the buffer to receive generated public key. - @param[in, out] PublicKeySize On input, the size of PublicKey buffer in bytes. - On output, the size of data returned in PublicKey buffer in bytes. - - @retval TRUE DH public key generation succeeded. - @retval FALSE DH public key generation failed. - @retval FALSE PublicKeySize is not large enough. - -**/ -BOOLEAN -EFIAPI -DhGenerateKey ( - IN OUT VOID *DhContext, - OUT UINT8 *PublicKey, - IN OUT UINTN *PublicKeySize - ) -{ - BOOLEAN RetVal; - DH *Dh; - INTN Size; - - // - // Check input parameters. - // - if (DhContext == NULL || PublicKeySize == NULL) { - return FALSE; - } - - if (PublicKey == NULL && *PublicKeySize != 0) { - return FALSE; - } - - Dh = (DH *) DhContext; - - RetVal = (BOOLEAN) DH_generate_key (DhContext); - if (RetVal) { - Size = BN_num_bytes (Dh->pub_key); - if ((Size > 0) && (*PublicKeySize < (UINTN) Size)) { - *PublicKeySize = Size; - return FALSE; - } - - BN_bn2bin (Dh->pub_key, PublicKey); - *PublicKeySize = Size; - } - - return RetVal; -} - -/** - Computes exchanged common key. - - Given peer's public key, this function computes the exchanged common key, based on its own - context including value of prime modulus and random secret exponent. - - If DhContext is NULL, then return FALSE. - If PeerPublicKey is NULL, then return FALSE. - If KeySize is NULL, then return FALSE. - If Key is NULL, then return FALSE. - If KeySize is not large enough, then return FALSE. - - @param[in, out] DhContext Pointer to the DH context. - @param[in] PeerPublicKey Pointer to the peer's public key. - @param[in] PeerPublicKeySize Size of peer's public key in bytes. - @param[out] Key Pointer to the buffer to receive generated key. - @param[in, out] KeySize On input, the size of Key buffer in bytes. - On output, the size of data returned in Key buffer in bytes. - - @retval TRUE DH exchanged key generation succeeded. - @retval FALSE DH exchanged key generation failed. - @retval FALSE KeySize is not large enough. - -**/ -BOOLEAN -EFIAPI -DhComputeKey ( - IN OUT VOID *DhContext, - IN CONST UINT8 *PeerPublicKey, - IN UINTN PeerPublicKeySize, - OUT UINT8 *Key, - IN OUT UINTN *KeySize - ) -{ - BIGNUM *Bn; - INTN Size; - - // - // Check input parameters. - // - if (DhContext == NULL || PeerPublicKey == NULL || KeySize == NULL || Key == NULL) { - return FALSE; - } - - if (PeerPublicKeySize > INT_MAX) { - return FALSE; - } - - Bn = BN_bin2bn (PeerPublicKey, (UINT32) PeerPublicKeySize, NULL); - if (Bn == NULL) { - return FALSE; - } - - Size = DH_compute_key (Key, Bn, DhContext); - if (Size < 0) { - BN_free (Bn); - return FALSE; - } - - if (*KeySize < (UINTN) Size) { - *KeySize = Size; - BN_free (Bn); - return FALSE; - } - - *KeySize = Size; - BN_free (Bn); - return TRUE; -} diff --git a/Cryptlib/Pk/CryptDhNull.c b/Cryptlib/Pk/CryptDhNull.c new file mode 100644 index 0000000..35045db --- /dev/null +++ b/Cryptlib/Pk/CryptDhNull.c @@ -0,0 +1,156 @@ +/** @file + Diffie-Hellman Wrapper Implementation which does not provide + real capabilities. + +Copyright (c) 2012, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include "InternalCryptLib.h" + +/** + Allocates and Initializes one Diffie-Hellman Context for subsequent use. + + @return Pointer to the Diffie-Hellman Context that has been initialized. + If the interface is not supported, DhNew() returns NULL. + +**/ +VOID * +EFIAPI +DhNew ( + VOID + ) +{ + ASSERT (FALSE); + return NULL; +} + +/** + Release the specified DH context. + + If the interface is not supported, then ASSERT(). + + @param[in] DhContext Pointer to the DH context to be released. + +**/ +VOID +EFIAPI +DhFree ( + IN VOID *DhContext + ) +{ + ASSERT (FALSE); +} + +/** + Generates DH parameter. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] DhContext Pointer to the DH context. + @param[in] Generator Value of generator. + @param[in] PrimeLength Length in bits of prime to be generated. + @param[out] Prime Pointer to the buffer to receive the generated prime number. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DhGenerateParameter ( + IN OUT VOID *DhContext, + IN UINTN Generator, + IN UINTN PrimeLength, + OUT UINT8 *Prime + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Sets generator and prime parameters for DH. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] DhContext Pointer to the DH context. + @param[in] Generator Value of generator. + @param[in] PrimeLength Length in bits of prime to be generated. + @param[in] Prime Pointer to the prime number. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DhSetParameter ( + IN OUT VOID *DhContext, + IN UINTN Generator, + IN UINTN PrimeLength, + IN CONST UINT8 *Prime + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Generates DH public key. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] DhContext Pointer to the DH context. + @param[out] PublicKey Pointer to the buffer to receive generated public key. + @param[in, out] PublicKeySize On input, the size of PublicKey buffer in bytes. + On output, the size of data returned in PublicKey buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DhGenerateKey ( + IN OUT VOID *DhContext, + OUT UINT8 *PublicKey, + IN OUT UINTN *PublicKeySize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Computes exchanged common key. + + Return FALSE to indicate this interface is not supported. + + @param[in, out] DhContext Pointer to the DH context. + @param[in] PeerPublicKey Pointer to the peer's public key. + @param[in] PeerPublicKeySize Size of peer's public key in bytes. + @param[out] Key Pointer to the buffer to receive generated key. + @param[in, out] KeySize On input, the size of Key buffer in bytes. + On output, the size of data returned in Key buffer in bytes. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +DhComputeKey ( + IN OUT VOID *DhContext, + IN CONST UINT8 *PeerPublicKey, + IN UINTN PeerPublicKeySize, + OUT UINT8 *Key, + IN OUT UINTN *KeySize + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/Cryptlib/Pk/CryptPkcs7Sign.c b/Cryptlib/Pk/CryptPkcs7Sign.c deleted file mode 100644 index 63fe78f..0000000 --- a/Cryptlib/Pk/CryptPkcs7Sign.c +++ /dev/null @@ -1,207 +0,0 @@ -/** @file - PKCS#7 SignedData Sign Wrapper Implementation over OpenSSL. - -Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include "InternalCryptLib.h" - -#include -#include -#include - - -/** - Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message - Syntax Standard, version 1.5". This interface is only intended to be used for - application to perform PKCS#7 functionality validation. - - @param[in] PrivateKey Pointer to the PEM-formatted private key data for - data signing. - @param[in] PrivateKeySize Size of the PEM private key data in bytes. - @param[in] KeyPassword NULL-terminated passphrase used for encrypted PEM - key data. - @param[in] InData Pointer to the content to be signed. - @param[in] InDataSize Size of InData in bytes. - @param[in] SignCert Pointer to signer's DER-encoded certificate to sign with. - @param[in] OtherCerts Pointer to an optional additional set of certificates to - include in the PKCS#7 signedData (e.g. any intermediate - CAs in the chain). - @param[out] SignedData Pointer to output PKCS#7 signedData. - @param[out] SignedDataSize Size of SignedData in bytes. - - @retval TRUE PKCS#7 data signing succeeded. - @retval FALSE PKCS#7 data signing failed. - -**/ -BOOLEAN -EFIAPI -Pkcs7Sign ( - IN CONST UINT8 *PrivateKey, - IN UINTN PrivateKeySize, - IN CONST UINT8 *KeyPassword, - IN UINT8 *InData, - IN UINTN InDataSize, - IN UINT8 *SignCert, - IN UINT8 *OtherCerts OPTIONAL, - OUT UINT8 **SignedData, - OUT UINTN *SignedDataSize - ) -{ - BOOLEAN Status; - EVP_PKEY *Key; - BIO *DataBio; - PKCS7 *Pkcs7; - UINT8 *RsaContext; - UINT8 *P7Data; - UINTN P7DataSize; - UINT8 *Tmp; - - // - // Check input parameters. - // - if (PrivateKey == NULL || KeyPassword == NULL || InData == NULL || - SignCert == NULL || SignedData == NULL || SignedDataSize == NULL || InDataSize > INT_MAX) { - return FALSE; - } - - RsaContext = NULL; - Key = NULL; - Pkcs7 = NULL; - DataBio = NULL; - Status = FALSE; - - // - // Retrieve RSA private key from PEM data. - // - Status = RsaGetPrivateKeyFromPem ( - PrivateKey, - PrivateKeySize, - (CONST CHAR8 *) KeyPassword, - (VOID **) &RsaContext - ); - if (!Status) { - return Status; - } - - Status = FALSE; - - // - // Register & Initialize necessary digest algorithms and PRNG for PKCS#7 Handling - // - if (EVP_add_digest (EVP_md5 ()) == 0) { - goto _Exit; - } - if (EVP_add_digest (EVP_sha1 ()) == 0) { - goto _Exit; - } - if (EVP_add_digest (EVP_sha256 ()) == 0) { - goto _Exit; - } - - RandomSeed (NULL, 0); - - // - // Construct OpenSSL EVP_PKEY for private key. - // - Key = EVP_PKEY_new (); - if (Key == NULL) { - goto _Exit; - } - Key->save_type = EVP_PKEY_RSA; - Key->type = EVP_PKEY_type (EVP_PKEY_RSA); - Key->pkey.rsa = (RSA *) RsaContext; - - // - // Convert the data to be signed to BIO format. - // - DataBio = BIO_new (BIO_s_mem ()); - if (DataBio == NULL) { - goto _Exit; - } - - if (BIO_write (DataBio, InData, (int) InDataSize) <= 0) { - goto _Exit; - } - - // - // Create the PKCS#7 signedData structure. - // - Pkcs7 = PKCS7_sign ( - (X509 *) SignCert, - Key, - (STACK_OF(X509) *) OtherCerts, - DataBio, - PKCS7_BINARY | PKCS7_NOATTR | PKCS7_DETACHED - ); - if (Pkcs7 == NULL) { - goto _Exit; - } - - // - // Convert PKCS#7 signedData structure into DER-encoded buffer. - // - P7DataSize = i2d_PKCS7 (Pkcs7, NULL); - if (P7DataSize <= 19) { - goto _Exit; - } - - P7Data = malloc (P7DataSize); - if (P7Data == NULL) { - goto _Exit; - } - - Tmp = P7Data; - P7DataSize = i2d_PKCS7 (Pkcs7, (unsigned char **) &Tmp); - ASSERT (P7DataSize > 19); - - // - // Strip ContentInfo to content only for signeddata. The data be trimmed off - // is totally 19 bytes. - // - *SignedDataSize = P7DataSize - 19; - *SignedData = malloc (*SignedDataSize); - if (*SignedData == NULL) { - OPENSSL_free (P7Data); - goto _Exit; - } - - CopyMem (*SignedData, P7Data + 19, *SignedDataSize); - - OPENSSL_free (P7Data); - - Status = TRUE; - -_Exit: - // - // Release Resources - // - if (RsaContext != NULL) { - RsaFree (RsaContext); - if (Key != NULL) { - Key->pkey.rsa = NULL; - } - } - - if (Key != NULL) { - EVP_PKEY_free (Key); - } - - if (DataBio != NULL) { - BIO_free (DataBio); - } - - if (Pkcs7 != NULL) { - PKCS7_free (Pkcs7); - } - - return Status; -} diff --git a/Cryptlib/Pk/CryptPkcs7VerifyNull.c b/Cryptlib/Pk/CryptPkcs7VerifyNull.c deleted file mode 100644 index 9a4c77a..0000000 --- a/Cryptlib/Pk/CryptPkcs7VerifyNull.c +++ /dev/null @@ -1,100 +0,0 @@ -/** @file - PKCS#7 SignedData Verification Wrapper Implementation which does not provide - real capabilities. - -Copyright (c) 2012, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include "InternalCryptLib.h" - -/** - Get the signer's certificates from PKCS#7 signed data as described in "PKCS #7: - Cryptographic Message Syntax Standard". The input signed data could be wrapped - in a ContentInfo structure. - - Return FALSE to indicate this interface is not supported. - - @param[in] P7Data Pointer to the PKCS#7 message to verify. - @param[in] P7Length Length of the PKCS#7 message in bytes. - @param[out] CertStack Pointer to Signer's certificates retrieved from P7Data. - It's caller's responsiblity to free the buffer. - @param[out] StackLength Length of signer's certificates in bytes. - @param[out] TrustedCert Pointer to a trusted certificate from Signer's certificates. - It's caller's responsiblity to free the buffer. - @param[out] CertLength Length of the trusted certificate in bytes. - - @retval FALSE This interface is not supported. - -**/ -BOOLEAN -EFIAPI -Pkcs7GetSigners ( - IN CONST UINT8 *P7Data, - IN UINTN P7Length, - OUT UINT8 **CertStack, - OUT UINTN *StackLength, - OUT UINT8 **TrustedCert, - OUT UINTN *CertLength - ) -{ - ASSERT (FALSE); - return FALSE; -} - -/** - Wrap function to use free() to free allocated memory for certificates. - - If the interface is not supported, then ASSERT(). - - @param[in] Certs Pointer to the certificates to be freed. - -**/ -VOID -EFIAPI -Pkcs7FreeSigners ( - IN UINT8 *Certs - ) -{ - ASSERT (FALSE); -} - -/** - Verifies the validility of a PKCS#7 signed data as described in "PKCS #7: - Cryptographic Message Syntax Standard". The input signed data could be wrapped - in a ContentInfo structure. - - Return FALSE to indicate this interface is not supported. - - @param[in] P7Data Pointer to the PKCS#7 message to verify. - @param[in] P7Length Length of the PKCS#7 message in bytes. - @param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which - is used for certificate chain verification. - @param[in] CertLength Length of the trusted certificate in bytes. - @param[in] InData Pointer to the content to be verified. - @param[in] DataLength Length of InData in bytes. - - @retval FALSE This interface is not supported. - -**/ -BOOLEAN -EFIAPI -Pkcs7Verify ( - IN CONST UINT8 *P7Data, - IN UINTN P7Length, - IN CONST UINT8 *TrustedCert, - IN UINTN CertLength, - IN CONST UINT8 *InData, - IN UINTN DataLength - ) -{ - ASSERT (FALSE); - return FALSE; -} diff --git a/Cryptlib/Pk/CryptRsaExt.c b/Cryptlib/Pk/CryptRsaExt.c deleted file mode 100644 index 5c21d12..0000000 --- a/Cryptlib/Pk/CryptRsaExt.c +++ /dev/null @@ -1,377 +0,0 @@ -/** @file - RSA Asymmetric Cipher Wrapper Implementation over OpenSSL. - - This file implements following APIs which provide more capabilities for RSA: - 1) RsaGetKey - 2) RsaGenerateKey - 3) RsaCheckKey - 4) RsaPkcs1Sign - -Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include "InternalCryptLib.h" - -#include -#include -#include - -/** - Gets the tag-designated RSA key component from the established RSA context. - - This function retrieves the tag-designated RSA key component from the - established RSA context as a non-negative integer (octet string format - represented in RSA PKCS#1). - If specified key component has not been set or has been cleared, then returned - BnSize is set to 0. - If the BigNumber buffer is too small to hold the contents of the key, FALSE - is returned and BnSize is set to the required buffer size to obtain the key. - - If RsaContext is NULL, then return FALSE. - If BnSize is NULL, then return FALSE. - If BnSize is large enough but BigNumber is NULL, then return FALSE. - - @param[in, out] RsaContext Pointer to RSA context being set. - @param[in] KeyTag Tag of RSA key component being set. - @param[out] BigNumber Pointer to octet integer buffer. - @param[in, out] BnSize On input, the size of big number buffer in bytes. - On output, the size of data returned in big number buffer in bytes. - - @retval TRUE RSA key component was retrieved successfully. - @retval FALSE Invalid RSA key component tag. - @retval FALSE BnSize is too small. - -**/ -BOOLEAN -EFIAPI -RsaGetKey ( - IN OUT VOID *RsaContext, - IN RSA_KEY_TAG KeyTag, - OUT UINT8 *BigNumber, - IN OUT UINTN *BnSize - ) -{ - RSA *RsaKey; - BIGNUM *BnKey; - UINTN Size; - - // - // Check input parameters. - // - if (RsaContext == NULL || BnSize == NULL) { - return FALSE; - } - - RsaKey = (RSA *) RsaContext; - Size = *BnSize; - *BnSize = 0; - - switch (KeyTag) { - - // - // RSA Public Modulus (N) - // - case RsaKeyN: - if (RsaKey->n == NULL) { - return TRUE; - } - BnKey = RsaKey->n; - break; - - // - // RSA Public Exponent (e) - // - case RsaKeyE: - if (RsaKey->e == NULL) { - return TRUE; - } - BnKey = RsaKey->e; - break; - - // - // RSA Private Exponent (d) - // - case RsaKeyD: - if (RsaKey->d == NULL) { - return TRUE; - } - BnKey = RsaKey->d; - break; - - // - // RSA Secret Prime Factor of Modulus (p) - // - case RsaKeyP: - if (RsaKey->p == NULL) { - return TRUE; - } - BnKey = RsaKey->p; - break; - - // - // RSA Secret Prime Factor of Modules (q) - // - case RsaKeyQ: - if (RsaKey->q == NULL) { - return TRUE; - } - BnKey = RsaKey->q; - break; - - // - // p's CRT Exponent (== d mod (p - 1)) - // - case RsaKeyDp: - if (RsaKey->dmp1 == NULL) { - return TRUE; - } - BnKey = RsaKey->dmp1; - break; - - // - // q's CRT Exponent (== d mod (q - 1)) - // - case RsaKeyDq: - if (RsaKey->dmq1 == NULL) { - return TRUE; - } - BnKey = RsaKey->dmq1; - break; - - // - // The CRT Coefficient (== 1/q mod p) - // - case RsaKeyQInv: - if (RsaKey->iqmp == NULL) { - return TRUE; - } - BnKey = RsaKey->iqmp; - break; - - default: - return FALSE; - } - - *BnSize = Size; - Size = BN_num_bytes (BnKey); - - if (*BnSize < Size) { - *BnSize = Size; - return FALSE; - } - - if (BigNumber == NULL) { - return FALSE; - } - *BnSize = BN_bn2bin (BnKey, BigNumber) ; - - return TRUE; -} - -/** - Generates RSA key components. - - This function generates RSA key components. It takes RSA public exponent E and - length in bits of RSA modulus N as input, and generates all key components. - If PublicExponent is NULL, the default RSA public exponent (0x10001) will be used. - - Before this function can be invoked, pseudorandom number generator must be correctly - initialized by RandomSeed(). - - If RsaContext is NULL, then return FALSE. - - @param[in, out] RsaContext Pointer to RSA context being set. - @param[in] ModulusLength Length of RSA modulus N in bits. - @param[in] PublicExponent Pointer to RSA public exponent. - @param[in] PublicExponentSize Size of RSA public exponent buffer in bytes. - - @retval TRUE RSA key component was generated successfully. - @retval FALSE Invalid RSA key component tag. - -**/ -BOOLEAN -EFIAPI -RsaGenerateKey ( - IN OUT VOID *RsaContext, - IN UINTN ModulusLength, - IN CONST UINT8 *PublicExponent, - IN UINTN PublicExponentSize - ) -{ - BIGNUM *KeyE; - BOOLEAN RetVal; - - // - // Check input parameters. - // - if (RsaContext == NULL || ModulusLength > INT_MAX || PublicExponentSize > INT_MAX) { - return FALSE; - } - - KeyE = BN_new (); - if (KeyE == NULL) { - return FALSE; - } - - RetVal = FALSE; - - if (PublicExponent == NULL) { - if (BN_set_word (KeyE, 0x10001) == 0) { - goto _Exit; - } - } else { - if (BN_bin2bn (PublicExponent, (UINT32) PublicExponentSize, KeyE) == NULL) { - goto _Exit; - } - } - - if (RSA_generate_key_ex ((RSA *) RsaContext, (UINT32) ModulusLength, KeyE, NULL) == 1) { - RetVal = TRUE; - } - -_Exit: - BN_free (KeyE); - return RetVal; -} - -/** - Validates key components of RSA context. - - This function validates key compoents of RSA context in following aspects: - - Whether p is a prime - - Whether q is a prime - - Whether n = p * q - - Whether d*e = 1 mod lcm(p-1,q-1) - - If RsaContext is NULL, then return FALSE. - - @param[in] RsaContext Pointer to RSA context to check. - - @retval TRUE RSA key components are valid. - @retval FALSE RSA key components are not valid. - -**/ -BOOLEAN -EFIAPI -RsaCheckKey ( - IN VOID *RsaContext - ) -{ - UINTN Reason; - - // - // Check input parameters. - // - if (RsaContext == NULL) { - return FALSE; - } - - if (RSA_check_key ((RSA *) RsaContext) != 1) { - Reason = ERR_GET_REASON (ERR_peek_last_error ()); - if (Reason == RSA_R_P_NOT_PRIME || - Reason == RSA_R_Q_NOT_PRIME || - Reason == RSA_R_N_DOES_NOT_EQUAL_P_Q || - Reason == RSA_R_D_E_NOT_CONGRUENT_TO_1) { - return FALSE; - } - } - - return TRUE; -} - -/** - Carries out the RSA-SSA signature generation with EMSA-PKCS1-v1_5 encoding scheme. - - This function carries out the RSA-SSA signature generation with EMSA-PKCS1-v1_5 encoding scheme defined in - RSA PKCS#1. - If the Signature buffer is too small to hold the contents of signature, FALSE - is returned and SigSize is set to the required buffer size to obtain the signature. - - If RsaContext is NULL, then return FALSE. - If MessageHash is NULL, then return FALSE. - If HashSize is not equal to the size of MD5, SHA-1 or SHA-256 digest, then return FALSE. - If SigSize is large enough but Signature is NULL, then return FALSE. - - @param[in] RsaContext Pointer to RSA context for signature generation. - @param[in] MessageHash Pointer to octet message hash to be signed. - @param[in] HashSize Size of the message hash in bytes. - @param[out] Signature Pointer to buffer to receive RSA PKCS1-v1_5 signature. - @param[in, out] SigSize On input, the size of Signature buffer in bytes. - On output, the size of data returned in Signature buffer in bytes. - - @retval TRUE Signature successfully generated in PKCS1-v1_5. - @retval FALSE Signature generation failed. - @retval FALSE SigSize is too small. - -**/ -BOOLEAN -EFIAPI -RsaPkcs1Sign ( - IN VOID *RsaContext, - IN CONST UINT8 *MessageHash, - IN UINTN HashSize, - OUT UINT8 *Signature, - IN OUT UINTN *SigSize - ) -{ - RSA *Rsa; - UINTN Size; - INT32 DigestType; - - // - // Check input parameters. - // - if (RsaContext == NULL || MessageHash == NULL) { - return FALSE; - } - - Rsa = (RSA *) RsaContext; - Size = BN_num_bytes (Rsa->n); - - if (*SigSize < Size) { - *SigSize = Size; - return FALSE; - } - - if (Signature == NULL) { - return FALSE; - } - - // - // Determine the message digest algorithm according to digest size. - // Only MD5, SHA-1 or SHA-256 algorithm is supported. - // - switch (HashSize) { - case MD5_DIGEST_SIZE: - DigestType = NID_md5; - break; - - case SHA1_DIGEST_SIZE: - DigestType = NID_sha1; - break; - - case SHA256_DIGEST_SIZE: - DigestType = NID_sha256; - break; - - default: - return FALSE; - } - - return (BOOLEAN) RSA_sign ( - DigestType, - MessageHash, - (UINT32) HashSize, - Signature, - (UINT32 *) SigSize, - (RSA *) RsaContext - ); -} diff --git a/Cryptlib/update.sh b/Cryptlib/update.sh index 57b6631..0e34db9 100755 --- a/Cryptlib/update.sh +++ b/Cryptlib/update.sh @@ -14,13 +14,10 @@ cp $DIR/Cipher/CryptTdes.c Cipher/CryptTdes.c cp $DIR/Cipher/CryptArc4.c Cipher/CryptArc4.c cp $DIR/Rand/CryptRand.c Rand/CryptRand.c cp $DIR/Pk/CryptRsaBasic.c Pk/CryptRsaBasic.c -cp $DIR/Pk/CryptRsaExt.c Pk/CryptRsaExt.c cp $DIR/Pk/CryptRsaExtNull.c Pk/CryptRsaExtNull.c -cp $DIR/Pk/CryptPkcs7Sign.c Pk/CryptPkcs7Sign.c cp $DIR/Pk/CryptPkcs7SignNull.c Pk/CryptPkcs7SignNull.c cp $DIR/Pk/CryptPkcs7Verify.c Pk/CryptPkcs7Verify.c -cp $DIR/Pk/CryptPkcs7VerifyNull.c Pk/CryptPkcs7VerifyNull.c -cp $DIR/Pk/CryptDh.c Pk/CryptDh.c +cp $DIR/Pk/CryptDhNull.c Pk/CryptDhNull.c cp $DIR/Pk/CryptX509.c Pk/CryptX509.c cp $DIR/Pk/CryptAuthenticode.c Pk/CryptAuthenticode.c cp $DIR/Pem/CryptPem.c Pem/CryptPem.c From 597dd8393bf0ce193cb012dd928bca0a2529ba69 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 2 Oct 2014 01:01:46 -0400 Subject: [PATCH 157/163] Another testplan error. Signed-off-by: Peter Jones --- testplan.txt | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/testplan.txt b/testplan.txt index ab88781..0b0569e 100644 --- a/testplan.txt +++ b/testplan.txt @@ -47,27 +47,25 @@ How to test a new shim build for RHEL/fedora: fs0:\EFI\test\lockdown.efi 17) enable secure boot verification 18) verify it can't run other binaries: - fs0:\EFI\redhat\grubx64.efi + fs0:\EFI\test\grubx64.efi result should be an error, probably similar to: "fs0:\...\grubx64.efi is not recognized as an internal or external command" -19) copy test.efi to grubx64.efi: - cp \EFI\test\test.efi \EFI\test\grubx64.efi -20) in the EFI shell, run fs0:\EFI\test\shim.efi -21) you should see MokManager. Enroll the certificate you added in #13, and +19) in the EFI shell, run fs0:\EFI\test\shim.efi +20) you should see MokManager. Enroll the certificate you added in #13, and the system will reboot. -22) reboot to the UEFI shell and run fs0:\EFI\test\shim.efi +21) reboot to the UEFI shell and run fs0:\EFI\test\shim.efi result: "This is a test application that should be completely safe." If you get the expected result, shim can run things signed by its internal key ring. Check a box someplace that says it can do that. -23) from the EFI shell, copy grub to grubx64.efi: +22) from the EFI shell, copy grub to grubx64.efi: cp \EFI\test\grub.efi \EFI\test\grubx64.efi -24) in the EFI shell, run fs0:\EFI\test\shim.efi +23) in the EFI shell, run fs0:\EFI\test\shim.efi result: this should start grub, which will let you boot a kernel If grub starts, it means shim can run things signed by a key in the system's db. Check a box someplace that says it can do that. If the kernel boots, it means shim can run things from Mok. Check a box someplace that says it can do that. -25) remove all boot entries and the BootOrder variable: +24) remove all boot entries and the BootOrder variable: [root@uefi ~]# cd /sys/firmware/efi/efivars/ [root@uefi efivars]# rm -vf Boot[0123456789]* BootOrder-* removed ‘Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c’ @@ -76,14 +74,14 @@ How to test a new shim build for RHEL/fedora: removed ‘Boot2001-8be4df61-93ca-11d2-aa0d-00e098032b8c’ removed ‘BootOrder-8be4df61-93ca-11d2-aa0d-00e098032b8c’ [root@uefi efivars]# -27) reboot -28) the system should run \EFI\BOOT\BOOTX64.EFI . If it doesn't, you may just +25) reboot +26) the system should run \EFI\BOOT\BOOTX64.EFI . If it doesn't, you may just have an old machine. In that case, go to the EFI shell and run: fs0:\EFI\BOOT\BOOTX64.EFI If this works, you should see a bit of output very quickly and then the same thing as #24. This means shim recognized it was in \EFI\BOOT and ran fallback.efi, which worked. -29) copy the unsigned grub into place and reboot: +27) copy the unsigned grub into place and reboot: cp /boot/efi/EFI/test/grubx64-unsigned.efi /boot/efi/EFI/test/grubx64.efi -30) reboot again. +28) reboot again. result: shim should refuse to load grub. From f6bff34f51cc0ed024ba5262e36a141cd220d4d4 Mon Sep 17 00:00:00 2001 From: Sebastian Krahmer Date: Thu, 2 Oct 2014 01:01:54 -0400 Subject: [PATCH 158/163] shim buffer overflow on ipv6 option parsing --- netboot.c | 102 +++++++++++++++++++++++++++++++++--------------------- 1 file changed, 62 insertions(+), 40 deletions(-) diff --git a/netboot.c b/netboot.c index 238937d..f884cba 100644 --- a/netboot.c +++ b/netboot.c @@ -108,29 +108,34 @@ BOOLEAN findNetboot(EFI_HANDLE device) static CHAR8 *get_v6_bootfile_url(EFI_PXE_BASE_CODE_DHCPV6_PACKET *pkt) { - void *optr; - EFI_DHCP6_PACKET_OPTION *option; - CHAR8 *url; - UINT32 urllen; + void *optr = NULL, *end = NULL; + EFI_DHCP6_PACKET_OPTION *option = NULL; + CHAR8 *url = NULL; + UINT32 urllen = 0; optr = pkt->DhcpOptions; + end = optr + sizeof(pkt->DhcpOptions); - for(;;) { + for (;;) { option = (EFI_DHCP6_PACKET_OPTION *)optr; if (ntohs(option->OpCode) == 0) - return NULL; + break; if (ntohs(option->OpCode) == 59) { /* This is the bootfile url option */ urllen = ntohs(option->Length); - url = AllocateZeroPool(urllen+1); + if ((void *)(option->Data + urllen) > end) + break; + url = AllocateZeroPool(urllen + 1); if (!url) - return NULL; + break; memcpy(url, option->Data, urllen); return url; } optr += 4 + ntohs(option->Length); + if (optr + sizeof(EFI_DHCP6_PACKET_OPTION) > end) + break; } return NULL; @@ -156,45 +161,60 @@ static CHAR16 str2ns(CHAR8 *str) static CHAR8 *str2ip6(CHAR8 *str) { - UINT8 i, j, p; - size_t len; - CHAR8 *a, *b, t; - static UINT16 ip[8]; + UINT8 i = 0, j = 0, p = 0; + size_t len = 0, dotcount = 0; + enum { MAX_IP6_DOTS = 7 }; + CHAR8 *a = NULL, *b = NULL, t = 0; + static UINT16 ip[8]; - for(i=0; i < 8; i++) { - ip[i] = 0; - } - len = strlen(str); - a = b = str; - for(i=p=0; i < len; i++, b++) { - if (*b != ':') - continue; - *b = '\0'; - ip[p++] = str2ns(a); - *b = ':'; - a = b + 1; - if ( *(b+1) == ':' ) - break; - } - a = b = (str + len); - for(j=len, p=7; j > i; j--, a--) { - if (*a != ':') - continue; - t = *b; - *b = '\0'; - ip[p--] = str2ns(a+1); - *b = t; - b = a; - } - return (CHAR8 *)ip; + memset(ip, 0, sizeof(ip)); + + /* Count amount of ':' to prevent overflows. + * max. count = 7. Returns an invalid ip6 that + * can be checked against + */ + for (a = str; *a != 0; ++a) { + if (*a == ':') + ++dotcount; + } + if (dotcount > MAX_IP6_DOTS) + return (CHAR8 *)ip; + + len = strlen(str); + a = b = str; + for (i = p = 0; i < len; i++, b++) { + if (*b != ':') + continue; + *b = '\0'; + ip[p++] = str2ns(a); + *b = ':'; + a = b + 1; + if (b[1] == ':' ) + break; + } + a = b = (str + len); + for (j = len, p = 7; j > i; j--, a--) { + if (*a != ':') + continue; + t = *b; + *b = '\0'; + ip[p--] = str2ns(a+1); + *b = t; + b = a; + } + return (CHAR8 *)ip; } static BOOLEAN extract_tftp_info(CHAR8 *url) { CHAR8 *start, *end; CHAR8 ip6str[40]; + CHAR8 ip6inv[16]; CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR); + // to check against str2ip6() errors + memset(ip6inv, 0, sizeof(ip6inv)); + if (strncmp((UINT8 *)url, (UINT8 *)"tftp://", 7)) { Print(L"URLS MUST START WITH tftp://\n"); return FALSE; @@ -209,7 +229,7 @@ static BOOLEAN extract_tftp_info(CHAR8 *url) end = start; while ((*end != '\0') && (*end != ']')) { end++; - if (end - start > 39) { + if (end - start >= (int)sizeof(ip6str)) { Print(L"TFTP URL includes malformed IPv6 address\n"); return FALSE; } @@ -218,10 +238,12 @@ static BOOLEAN extract_tftp_info(CHAR8 *url) Print(L"TFTP SERVER MUST BE ENCLOSED IN [..]\n"); return FALSE; } - memset(ip6str, 0, 40); + memset(ip6str, 0, sizeof(ip6str)); memcpy(ip6str, start, end - start); end++; memcpy(&tftp_addr.v6, str2ip6(ip6str), 16); + if (memcmp(&tftp_addr.v6, ip6inv, sizeof(ip6inv)) == 0) + return FALSE; full_path = AllocateZeroPool(strlen(end)+strlen(template)+1); if (!full_path) return FALSE; From 0dbc0e7f427c77aa12a58810c3f30f59e203bd5a Mon Sep 17 00:00:00 2001 From: Sebastian Krahmer Date: Thu, 2 Oct 2014 01:01:54 -0400 Subject: [PATCH 159/163] OOB access when parsing MOK List/Certificates on MOK enrollment --- MokManager.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/MokManager.c b/MokManager.c index ecbcdd3..4a9b102 100644 --- a/MokManager.c +++ b/MokManager.c @@ -100,8 +100,18 @@ static UINT32 count_keys(void *Data, UINTN DataSize) EFI_GUID HashType = EFI_CERT_SHA256_GUID; UINTN dbsize = DataSize; UINT32 MokNum = 0; + void *end = Data + DataSize; while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) { + + /* Use ptr arithmetics to ensure bounded access. Do not allow 0 + * SignatureListSize that will cause endless loop. + */ + if ((void *)(CertList + 1) > end || CertList->SignatureListSize == 0) { + console_notify(L"Invalid MOK detected! Ignoring MOK List."); + return 0; + } + if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) && (CompareGuid (&CertList->SignatureType, &HashType) != 0)) { console_notify(L"Doesn't look like a key or hash"); @@ -137,6 +147,7 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) { EFI_GUID HashType = EFI_CERT_SHA256_GUID; UINTN dbsize = DataSize; UINTN count = 0; + void *end = Data + DataSize; list = AllocatePool(sizeof(MokListNode) * num); @@ -146,6 +157,11 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) { } while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) { + /* CertList out of bounds? */ + if ((void *)(CertList + 1) > end || CertList->SignatureListSize == 0) { + FreePool(list); + return NULL; + } if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) && (CompareGuid (&CertList->SignatureType, &HashType) != 0)) { dbsize -= CertList->SignatureListSize; @@ -165,10 +181,22 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) { Cert = (EFI_SIGNATURE_DATA *) (((UINT8 *) CertList) + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize); + /* Cert out of bounds? */ + if ((void *)(Cert + 1) > end || CertList->SignatureSize <= sizeof(EFI_GUID)) { + FreePool(list); + return NULL; + } + list[count].MokSize = CertList->SignatureSize - sizeof(EFI_GUID); list[count].Mok = (void *)Cert->SignatureData; list[count].Type = CertList->SignatureType; + /* MOK out of bounds? */ + if (list[count].MokSize > end - (void *)list[count].Mok) { + FreePool(list); + return NULL; + } + count++; dbsize -= CertList->SignatureListSize; CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + @@ -449,6 +477,8 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title) } MokNum = count_keys(KeyList, KeyListSize); + if (MokNum == 0) + return 0; keys = build_mok_list(MokNum, KeyList, KeyListSize); if (!keys) { From a6dfd3e426540b0eafc85f2e6bb3768fe190d3f2 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 2 Oct 2014 01:01:54 -0400 Subject: [PATCH 160/163] Make another integer compare be signed/unsigned safe as well. Signed-off-by: Peter Jones --- MokManager.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/MokManager.c b/MokManager.c index 4a9b102..ee29051 100644 --- a/MokManager.c +++ b/MokManager.c @@ -192,7 +192,8 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) { list[count].Type = CertList->SignatureType; /* MOK out of bounds? */ - if (list[count].MokSize > end - (void *)list[count].Mok) { + if (list[count].MokSize > (unsigned long)end - + (unsigned long)list[count].Mok) { FreePool(list); return NULL; } From 7d953d6722ee9d2d1e21104bae41d60629332140 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 2 Oct 2014 01:01:54 -0400 Subject: [PATCH 161/163] Use -Werror=sign-compare . I'm going to have to fix any errors that have this anyway, so may as well do it here properly. Signed-off-by: Peter Jones --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index 5bc513c..694480b 100644 --- a/Makefile +++ b/Makefile @@ -21,6 +21,7 @@ EFI_LDS = elf_$(ARCH)_efi.lds DEFAULT_LOADER := \\\\grub.efi CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ + -Werror=sign-compare \ "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \ $(EFI_INCLUDES) From 159609ee4eab766673606f5a4e122c78dea390b3 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 2 Oct 2014 01:01:54 -0400 Subject: [PATCH 162/163] Correctly reject bad tftp addresses earlier, rather than later. This check is for end == NULL but was meant to be *end == '\0'. Without this change, we'll pass a plausibly bad address (i.e. one with no ']' at the end) to Mtftp(... READ_FILE ...), which should fail correctly, but our error messaging will be inconsistent. Signed-off-by: Peter Jones --- netboot.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/netboot.c b/netboot.c index f884cba..ad5d37e 100644 --- a/netboot.c +++ b/netboot.c @@ -234,7 +234,7 @@ static BOOLEAN extract_tftp_info(CHAR8 *url) return FALSE; } } - if (end == '\0') { + if (*end == '\0') { Print(L"TFTP SERVER MUST BE ENCLOSED IN [..]\n"); return FALSE; } From 7361f67dbd7f7fe98a807d3d12f90a87262124d6 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 13 Oct 2014 16:41:51 -0400 Subject: [PATCH 163/163] Bump version to 0.8 --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 694480b..332a29b 100644 --- a/Makefile +++ b/Makefile @@ -55,7 +55,7 @@ endif LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) -VERSION = 0.7 +VERSION = 0.8 TARGET = shim.efi MokManager.efi.signed fallback.efi.signed OBJS = shim.o netboot.o cert.o replacements.o version.o